A cybersecurity researcher just pulled the memory chip from a scrapped BYD Seal and found every GPS coordinate the car ever recorded — starting from the factory floor in China. The data was unencrypted, permanently stored, and trivially easy to read.
That means every drive to work, every late-night stop, every route ever taken was sitting on a chip anyone with basic hardware skills could access. And there’s strong reason to believe your car — regardless of brand — does the same thing.
At a glance
| Spec | Detail |
|---|---|
| Vehicle tested | BYD Seal (scrapped unit from UK) |
| Data found | Complete GPS history from factory to scrapyard |
| Encryption level | None — plain text on memory chip |
| Data lifespan | Permanent — survives crash, resale, and scrapping |
| Research team | Quarkslab (Romain Marchand) |
| Related breach | Volkswagen exposed 800,000 vehicles’ data in 2024 |
| US regulation | Ban on Chinese connected vehicle tech — no domestic data rules |
What Quarkslab found inside a dead car is terrifying
Romain Marchand and his team at Quarkslab, a respected cybersecurity consultancy, started with a simple question: can you pull location data directly from a vehicle’s hardware? They sourced a Telematics Control Unit from a BYD Seal that had been wrecked in Cambridge, UK, and eventually scrapped in Poland. Using a custom adapter, they dumped the contents of the TCU’s memory chip.
What they expected to find was encrypted data requiring serious effort to crack. The real story is far worse. The data was completely unencrypted and straightforward to read. Every GPS coordinate from the car’s entire life was there — the factory in China, roads across the UK, and the Polish scrapyard where it ended up. Every stop, every movement, logged permanently.
They traced a crash from a memory chip to a Facebook post
The research didn’t stop at raw coordinates. Marchand’s team noticed a cluster of GPS points at a single location and cross-referenced the timestamp with publicly available information. That search led them to a Facebook post warning drivers to avoid Sturry Road in Cambridge because of a crash. The post included 3 photos of the BYD Seal flipped on its side.
From a dead chip in a scrapped car, they reconstructed the owner’s home address, workplace, daily routines, and the exact moment the vehicle was destroyed. Marchand’s team was careful not to publish everything, but they made it clear the data was rich enough to build a complete profile of the owner’s life. What started as a hardware check became a full-blown investigation.
Here’s the catch — your car probably does this too
I want to be clear about something. Marchand chose the BYD Seal partly because Chinese vehicles have raised security flags — Poland banned certain models from military bases, and the US implemented restrictions on Chinese connected vehicle tech. But nothing in this research suggests other manufacturers handle this data any better. The underlying hardware and architecture are similar across the industry.
Quarkslab’s team had to build a custom adapter for the BYD’s specific chips, but that’s a one-time problem. Many vehicles use the same microprocessors. Once someone maps the process for one brand, standardized tools and software methods follow quickly. The barrier to entry drops fast, and the data sitting on those chips doesn’t expire or self-destruct. It just waits.
What regulators aren’t saying about permanent vehicle surveillance
The EU has rules requiring over-the-air updates to patch security vulnerabilities in connected cars. That sounds proactive until you realize it does nothing about data already baked into hardware. The US situation is even thinner. Washington banned Chinese connected vehicle technology but has no meaningful domestic regulation covering how American automakers store or protect the same type of location data on their own vehicles.
The real concern isn’t just hackers or foreign governments. It’s the structural reality that every connected car sold in the last decade is likely carrying a permanent, unencrypted record of everywhere it has ever been. Sell your car, trade it in, wreck it — the data survives. And right now, there’s no law in the United States requiring any manufacturer to encrypt it, limit it, or delete it.
How connected car privacy compares across brands
| Brand | Known data incidents | TCU encryption (reported) | Data deletion policy | Privacy edge |
|---|---|---|---|---|
| BYD | Unencrypted GPS logs confirmed | None found | No deletion — permanent storage | Worst confirmed |
| Volkswagen | 800,000 cars exposed online | Cloud-side only | Unclear | Cloud vulnerability |
| Tesla | Multiple researcher breaches | Partial | Manual request only | Better but imperfect |
| Toyota | 2.15 million records exposed (2023) | Partial | Limited compliance | Improving slowly |
Why this matters
- Every connected car is a permanent surveillance device by default.
- No US law requires automakers to encrypt or delete stored location data.
- Secondhand car buyers inherit the previous owner’s complete GPS history.
The verdict
This research confirms what privacy advocates have warned about for years — connected cars are rolling data archives with almost no protection at the hardware level. If you drive a modern vehicle with GPS, your location history is likely stored permanently on a chip that anyone with moderate technical skill can read. The industry needs mandatory encryption standards and data expiration rules before this becomes a tool for stalkers, insurers, and bad actors at scale. Until regulators act, every connected car on the road is a privacy liability that never forgets.
I’d encourage you to check your vehicle’s privacy settings today, request data deletion from your manufacturer if the option exists, and push your representatives to support connected vehicle privacy legislation. This isn’t a future problem — it’s happening right now in every car on every road.
