Dead Cars Tell Tales by Storing Data That's Never Wiped

The Quarkslab teardown of a BYD Seal telematics control unit (TCU) underscores a hidden vulnerability in modern connected cars: raw GPS coordinates are archived on non‑volatile memory without encryption. By extracting the Linux‑based file system from the Micron MCP, researchers reconstructed a detailed travel log that spanned continents and years, proving that vehicle data persists well beyond the point of sale or accident. This finding is not an isolated flaw; many manufacturers employ similar hardware architectures, meaning any decommissioned vehicle could become a data source for malicious actors or invasive profiling.

Beyond the technical curiosity, the incident raises profound regulatory and privacy questions. While the EU’s GDPR mandates anonymisation of personal data before transmission, the UNECE R156 regulation permits certain location data to remain linked to the vehicle for services like navigation and OTA updates. The lack of clear guidance on in‑vehicle data deletion creates a gray area where manufacturers may retain sensitive logs indefinitely. Recent actions, such as Poland’s ban on Chinese‑made cars in military facilities, illustrate growing geopolitical sensitivity to vehicle‑derived intelligence.

For stakeholders, the path forward involves layered safeguards. Manufacturers should implement end‑to‑end encryption for telematics storage and provide verifiable wipe procedures that go beyond superficial factory resets. Rental and leasing firms need strict digital hygiene protocols, including mandatory resets after each use and limiting phone connections to infotainment systems. Consumers, meanwhile, should audit privacy settings, disable unnecessary data sharing, and stay informed about the trade‑offs between connected‑car convenience and personal privacy. As connected vehicles become ubiquitous, robust data‑governance will be essential to maintain trust and comply with evolving global standards.