The increasing integration of sophisticated electronics and connectivity features into modern automobiles means that cars are rapidly transitioning from mere mechanical conveyances into sophisticated, mobile data platforms. This evolution, while providing consumer benefits ranging from enhanced safety features to advanced infotainment systems, introduces profound and often overlooked cybersecurity vulnerabilities. The data generated by these vehicles—including constant location tracking, operational performance metrics, and user behavioral profiles—is a trove of highly sensitive information. When stored without proper encryption or robust deletion protocols, this data presents a potential surveillance risk of unprecedented scope.
This precarious reality was dramatically highlighted by the work of Romain Marchand, a research and development engineer at Quarkslab, headquartered in Paris. Marchand acquired a telematic control unit (TCU)—the central brain for connectivity in a modern vehicle—from a salvage facility in Poland. Upon dismantling the TCU, which was built around a Qualcomm system-on-a-chip, Marchand successfully extracted the embedded Linux-based file system. The storage mechanism, a Micron multi-chip package (MCP) equipped with NAND-based non-volatile memory, held more than just temporary logs; it retained critical, sensitive information years after the vehicle was retired and supposedly taken out of circulation.
According to Marchand’s analysis presented to iTnews, the most alarming discovery was the extreme lack of encryption. The stored data was unencrypted, meaning that with sophisticated physical access and the right technical tools, an observer could effortlessly gather and retrieve highly sensitive details. The recovered logs included Global Navigation Satellite System (GNSS) data, manifesting as detailed GPS coordinates. These comprehensive logs painted a complete digital biography of the car. Remarkably, Marchand explained that the preserved GNSS logs covered the entire documented journey of a BYD vehicle—from its initial assembly plant in China, through its active operational life in the United Kingdom, right up to the point of its final dismantling and shipwrecking in Poland. This journey mapped not just miles, but the entire historical path of the asset.
Marchand explicitly cautioned that the methodology and subsequent findings were not limited to the specific BYD model utilized in the example. He noted that the hardware architecture employed by this Chinese automobile manufacturer’s TCU demonstrated a broadly similar design pattern to those found across other global automotive brands. This suggests that the vulnerability is systemic, pointing to a crucial failure point in the standardized industry practices for data retention and lifecycle management in connected vehicles. Experts warn that the continued reliance on easily accessible, unencrypted data storage in vehicle units poses a significant threat to personal privacy, corporate security, and national infrastructure integrity.