Unbeknowst to vehicle drivers, newer cars record and store GPS data that can be retrieved, providing accurate location information going back years, security researchers have discovered.
Research and development engineer Romain Marchand of Paris headquartered Quarkslab obtained a telematic control unit (TCU) from a salvage yard in Poland via an online marketplace, a device that had been used in a BYD Seal vehicle.
Marchand tore down the TCU, which is based on a Qualcomm system on a chip, and extracted the Linux-based file system from the Micron multi-chip package (MCP) which contained NAND-based non-volatile storage memory.
The non-volatile storage contained sensitive information, including system configuration data and more importantly, logs that revealed the vehicle's GPS positions over time.
None of that information was encrypted, Marchand told iTnews, which made it possible to collect and retrieve sensitive data of interest.
What's more, the global navigation satellite system (GNSS) logs with GPS positions covered the BYD's full journey from the factory in China to its operational life in the United Kingdom, and to its final wrecking in Poland, Marchand explained in an analysis .
Marchand discovered a cluster of GPS positions at a single location that stood out from regular travel, suggesting a significant event at the time.
He was able to locate the address of the event, and correlate it to a Facebook post that showed a car accident that matched the GNSS data perfectly, featuring photos of a flipped over BYD Seal vehicle.
"The telematics unit was more than a device; it was a data archive," Marchand wrote.
"Even after a vehicle is sold, damaged, or dismantled, logs and system events can remain accessible," he added.
The issue is not restricted to BYD, and Marchand added that the hardware architecture of the Chinese car maker's TCU is broadly similar to what can be found in other brands.
Complete data wiping on cars not feasible
Most new vehicles allow users to erase data by performing a factory reset, similar to what can be done on mobile phones and personal computers, but fully wiping all information is not possible, Marchand told iTnews.
"Some private evaluations showed performing at least two factory resets on most IVI (in-vehicle infotainment systems) wipe personal data, although it is still possible to recover traces of deleted files," Marchand said.
As there are other electronic control units (ECUs) in cars that do not have a user interface, the situation is more complex however.
"A complete memory wipe is not feasible with current architectures," Marchand said.
Asked if vehicle data collection and storage thereof was a concern for leasing and rental companies, Marchand agreed that it is a major concern.
"The primary recommendation is to maintain strong digital hygiene, for example, in rental vehicles, performing a factory reset after each use," he said.
However, although some rental companies include this in their procedures, it is not always consistently enforced, he added.
Customers should also avoid connecting their phones to rental cars, Marchand suggested.
He pointed to a 2021 demonstration at the French BarbHack security conference that showed [pdf] how it was possible to retrieve two-factor authentication codes, and read text messages by tapping into a car's internal network.
How much of the captured data stays on vehicles and how much is sent to manufacturers is unclear, Marchand said.
"We do not have a complete view of the data exchanged between the vehicle and the manufacturer’s backend," Marchand said.
Nevertheless, in modern car architectures, data is stored within vehicles and then transmitted to manufacturers for statistical analysis to improve production processes.
Under the European Union's General Data Protection Regulation (GDPR) rules, certain data has to be anonymised before it goes to manufacturers, but for vehicle data, the situation is more complicated.
Some data remains linked to the vehicle for connected services such as navigation, assistance, predictive maintenance and over-the-air updates, as mandated by the UNECE R156 regulation, Marchand pointed out.
Some manufacturers and insurers can also offer personalised premiums based on driving behaviour, with data brokers collecting information on this to establish risk profiles.
BYD Australia-New Zealand was contacted by iTnews for comment on Quarkslab's findings, and also, whether or not it's possible to erase the GPS data stored in the TCU but didn't respond in time for publication.
Disable data sharing where possible: ASD
The Australian Signals Directorate (ASD) told iTnews that connected vehicles collect and transmit a wide variety of data in real time to manufacturers, and third party service providers.
"ASD recommends connected vehicle owners carefully review the privacy and data collection policies of the manufacturer, before deciding to buy a connected vehicle," an ASD spokesperson said.
"Owners should also disable vehicle data sharing where possible, and consider if the benefits of associated mobile apps for vehicles outweigh the potential risks of their use," the spokesperson added.
In February this year, Poland banned Chinese made cars from entering military facilities in the hope to limit potential collection of data such as location, video and audio.
Polish military personnel are also banned from connecting their phones to infotainment systems in Chinese-made vehicles.
Privacy watchdog acknowledges location data concerns
A spokesperson for the Office of the Australian Information Commissioner (OAIC) told iTnews that the Quarkslab research demonstrates concerns the privacy watchdog and many Australians hold about connected cars.
"The collection of location data enables the creation of a detailed picture of a vehicle's movements, which can on its own or when combined with other public or private data sources, result in serious threats to an individual's privacy and safety," the spokesperson said.
"It is essential that new devices or vehicles such as connected cars are subject to longstanding privacy and cyber security requirements, including those relating to data collection, retention and destruction."
The OAIC has not published specific guidance relating to telematics units and their usage, but it has provided general advice on connected vehicles on its website.
.jpg&h=140&w=231&c=1&s=0)
Melbourne Cloud & Datacenter Convention 2026
iTnews Executive Retreat - Data & AI Edition
The 2026 iAwards
_(1).jpg&h=140&w=231&c=1&s=0)
