Scrapped Cars Still Hold Sensitive Data, Research Finds

Security researchers have uncovered significant privacy risks in modern connected vehicles, revealing that scrapped cars can retain years of sensitive data—including detailed GPS location histories.

Telematics Units Store Extensive Vehicle Data

Research conducted by Romain Marchand of Quarkslab found that telematics control units (TCUs) in vehicles can act as long-term data archives.

After acquiring a TCU from a salvaged BYD Seal, Marchand extracted its Linux-based file system and discovered unencrypted data stored in non-volatile memory.

The data included:

• System configuration details
• Operational logs
• Extensive GPS location history

The GPS records traced the vehicle’s journey from manufacturing in China to usage in the UK and eventual disposal in Poland—demonstrating the depth and persistence of stored data.

Privacy Risks Extend Beyond a Single Manufacturer

While the findings were based on a BYD vehicle, researchers note that similar telematics architectures are widely used across the automotive industry, suggesting a broader systemic issue.

“The telematics unit was more than a device—it was a data archive,” Marchand said, highlighting how data can remain accessible long after a vehicle is sold or dismantled.

Data Wiping Remains a Challenge

Although many modern vehicles offer factory reset options, fully erasing stored data is not always possible.

Marchand noted that:

• Multiple resets may reduce visible data but traces can remain
• Some electronic control units (ECUs) lack user interfaces for data deletion
• Current vehicle architectures do not support complete memory wiping

This creates ongoing risks for vehicle owners, leasing companies, and rental operators.

Risks for Rental and Used Vehicle Markets

The issue is particularly concerning for shared and second-hand vehicles, where sensitive user data may persist across multiple users.

Researchers recommend:

• Performing factory resets after each use (where possible)
• Avoiding connecting personal devices to rental vehicles
• Practicing strong digital hygiene

Previous demonstrations have shown that vehicle systems can even expose sensitive information such as text messages and authentication codes through internal network access.

Data Sharing and Regulatory Complexity

Modern vehicles not only store data locally but also transmit information to manufacturers for analytics, predictive maintenance, and connected services.

However, the extent of data sharing remains unclear.

Under General Data Protection Regulation (GDPR), certain data must be anonymized, but connected vehicle ecosystems often require persistent data linkage for services such as navigation and over-the-air updates.

Regulations such as UNECE R156 further complicate the landscape by mandating connected functionality.

Government and Regulatory Response

The Australian Signals Directorate has advised consumers to review vehicle data policies and disable data sharing where possible.

Meanwhile, the Office of the Australian Information Commissioner warned that location data collected by vehicles can create detailed movement profiles, posing serious risks to individual privacy and safety.

Growing Concerns Around Connected Vehicles

The findings come amid increasing scrutiny of connected vehicle security, with some governments taking precautionary measures. For example, Poland has restricted certain vehicles from entering military facilities due to concerns over data collection.

A Call for Stronger Safeguards

As vehicles become more connected and data-driven, experts say stronger privacy protections, clearer data ownership policies, and improved deletion mechanisms will be critical.

Without these safeguards, connected cars risk becoming long-term repositories of sensitive personal data—long after they leave the road.