Back
Technology

Security Researcher Recovers Unencrypted GPS Location History from Salvaged Vehicle Telematics Unit

Generated on: Last updated: 1 sources
View source

Unencrypted GPS Logs Recovered from Salvaged Connected Car

A security researcher has recovered detailed, unencrypted GPS location logs from a salvaged vehicle's telematics unit. The data, which traced the vehicle's journey from its factory to a salvage yard, has prompted official statements on data privacy concerns for connected vehicles. The vehicle manufacturer did not respond to requests for comment.

The Discovery

Security researcher Romain Marchand of Quarkslab obtained a Telematics Control Unit (TCU) from a salvaged BYD Seal vehicle, sourced via an online marketplace. The unit originated from a salvage yard in Poland.

Upon analysis, Marchand extracted the device's Linux-based file system from its non-volatile NAND storage memory. The storage contained system configuration data and GNSS (Global Navigation Satellite System) logs, which were not encrypted.

The Recovered Data

The unencrypted GPS logs provided a location history of the vehicle. The data covered its journey from the factory in China, through its operational life in the United Kingdom, to its final location at the salvage yard in Poland.

Marchand identified a cluster of GPS positions at a single location. He correlated this data with a publicly available Facebook post that showed a car accident involving a flipped BYD Seal vehicle, confirming the data's accuracy.

Technical Architecture and Data Management

The TCU was based on a Qualcomm system-on-a-chip. Marchand stated that the hardware architecture of the BYD TCU is broadly similar to units found in vehicles from other manufacturers.

Regarding data management, Marchand stated that while most new vehicles allow users to perform factory resets on in-vehicle infotainment (IVI) systems to erase personal data, a complete memory wipe of all Electronic Control Units (ECUs) in a vehicle is not feasible with current automotive electronic architectures. He noted that traces of deleted files may remain recoverable, and other ECUs lack user interfaces for data deletion.

Marchand described the telematics unit as a "data archive," noting that logs can remain accessible even after a vehicle is sold, damaged, or dismantled. He stated it is unclear how much captured data stays on vehicles versus being transmitted to manufacturers, citing a lack of complete visibility into data exchanges with manufacturer backends.

Official Recommendations and Regulatory Context

In response to the findings, official bodies issued recommendations:

  • The Australian Signals Directorate (ASD) recommends that connected vehicle owners review manufacturer privacy and data collection policies before purchase, disable data sharing where possible, and consider if the benefits of associated mobile apps outweigh potential risks.
  • The Office of the Australian Information Commissioner (OAIC) stated the research demonstrates concerns about connected cars, noting that the collection of location data can create detailed pictures of vehicle movements, which may threaten individual privacy and safety.

The OAIC emphasized it is essential that connected cars are subject to privacy and cybersecurity requirements relating to data collection, retention, and destruction.

The regulatory context for vehicle data is complex. Under the European Union's General Data Protection Regulation (GDPR), certain data must be anonymized before transfer to manufacturers. However, some data remains linked to the vehicle for connected services such as navigation, assistance, and over-the-air updates, as mandated by UNECE R156 regulation. Data on driving behavior can be collected by insurers and data brokers to establish risk profiles for personalized insurance premiums.

Related Actions and Response

In February 2024, Poland banned Chinese-made cars from entering military facilities to limit potential collection of data such as location, video, and audio. Polish military personnel are also banned from connecting phones to infotainment systems in such vehicles.

BYD Australia-New Zealand was contacted for comment on Quarkslab's findings and on whether GPS data stored in TCUs can be erased. The company did not respond by the publication deadlines.