Your car knows more about you than you think, and it is not keeping quiet about it.
Most drivers know their smartphones are tracking them. Many even accept that their smart TVs, fitness trackers, and home assistants are collecting data in the background. But the family car? That still feels like neutral territory to a lot of people, a machine that takes you places without reporting back to anyone. That assumption, it turns out, is dangerously out of date. Modern vehicles have evolved into rolling data collection platforms, quietly logging every route, every stop, and every mechanical hiccup, sometimes for the entire lifespan of the vehicle.
What makes this especially unsettling is not just that the data exists. It is how easy it is to access. A team of white hat hackers recently demonstrated that recovering years of precise GPS tracking data from a used car module requires no hacking genius, no expensive lab equipment, and no access to private corporate databases. All they needed was a secondhand electronic component, a few open-source software tools anyone can download for free, and a little patience. The results were startling enough to serve as a wake-up call for drivers, regulators, and automakers alike.
The test subject was a telematics unit pulled from a wrecked BYD Seal, the popular Chinese electric sedan. The researchers bought the module used, which was actually the point. A brand-new unit would have no trip history to examine. A used one, however, is practically a diary. What they found inside that little box of circuits was a complete, unencrypted account of the car’s entire existence, from the factory floor in China, through years of driving in the United Kingdom, to its final destination at a salvage yard in Poland. Every road taken, every long pause, every detour, all of it preserved in plain text and perfectly readable.
That is not just a privacy concern for BYD owners. It is a preview of what could be lurking inside virtually any modern vehicle sold in the past two decades.
What Is a Telematics Module and Why Does It Know So Much?
A telematics module is essentially the communications brain of a modern car. It handles the connection between the vehicle and external networks, whether that is a cellular signal for emergency SOS calls, over-the-air software updates, or remote diagnostics that let dealerships check on a car’s health before you even pull into the service bay.
Because it needs to know where the car is and what the car is doing, the module also includes a GPS receiver and logging software that records far more than most owners ever realize. Depending on the make, model, and software version, that data can include precise GPS coordinates updated at regular intervals, timestamps for every time the vehicle is powered on or off, engine health data, emissions fault codes, fluid life estimates, and event data from accidents that captures what was happening in the moments before a crash.
The researchers accessed the BYD unit by wiring up a custom harness to interface with its memory chips directly, since they did not have a manufacturer-issued diagnostic adapter. From there, they used a freely available tool called ubireader to extract the full filesystem from the module’s memory partitions. No jailbreak required. No corporate credentials needed. The data was simply sitting there, unprotected.
How Hackers Reconstructed Every Mile the Car Ever Traveled
Once the researchers had the raw filesystem, the real detective work began. The GNSS logs (that stands for Global Navigation Satellite System, the broader category that GPS belongs to) contained a continuous record of the vehicle’s coordinates stretching back to the day it rolled off the assembly line.
Plotting those coordinates on a map revealed the car’s full geographic biography. The route from the Chinese factory. The shipping path. Years of daily driving patterns across the UK. And then the long, final journey to the Polish dismantler.
Here is where it gets genuinely impressive, and more than a little unnerving. At one point, the data showed a cluster of GPS returns at a single location in the UK over an extended period of time, a big red flag that something unusual had happened. The car had apparently just stopped moving in the middle of a road. The researchers ran a simple Google search filtered by date, and within minutes they had found social media posts documenting an overturned BYD Seal that had been involved in a collision at that exact location. The car was lying on its side. The GPS had faithfully recorded the whole thing.
This is what researchers call OSINT, or Open-Source Intelligence. It means using publicly available information, social media, news archives, mapping tools, to connect dots without needing any special access. Combine OSINT with unencrypted vehicle data and you have a remarkably powerful reconstruction tool that anyone with moderate technical skills could use.
What We Can Learn From This Incident
The BYD experiment is a controlled, ethical demonstration, but it points directly at a much larger problem that the automotive industry has been slow to address.
First and most obviously, unencrypted data storage in vehicle modules is a serious gap. Encryption is not a new or expensive technology. The fact that a telematics unit manufactured for a major global automaker in the 2020s was storing GPS logs in plain text is the kind of thing that should not be happening in an era when even basic consumer apps encrypt their local storage. Automakers and regulators are starting to demand better practices, but there is a huge installed base of older vehicles out there that will never receive a retrofit.
Second, the secondhand market creates a persistent privacy risk. When you sell a car, trade it in, or send it to a salvage yard, you are potentially handing over years of your location history to whoever ends up with that telematics module. Most people wipe their phones before selling them. Almost nobody thinks to wipe their car’s computer. In many cases, that is not even an option available to the owner without dealership-level tools.
Third, this is not a BYD-exclusive problem. The researchers chose a BYD Seal partly because it is a Chinese-manufactured vehicle with particular geopolitical implications around data security, but the underlying vulnerability, unencrypted module storage, has appeared in vehicles from major Western and Japanese manufacturers as well. Even Tesla, a company that markets itself heavily on software sophistication, has faced similar scrutiny in the past.
The lesson is not necessarily to panic. It is to stay informed, ask hard questions when buying or selling vehicles, and push for stronger regulatory standards around automotive data storage and deletion rights.
So What Can You Actually Do About It?
The honest answer is that your options are limited if you want a modern car with modern features. Connectivity, navigation, and safety systems are deeply integrated into contemporary vehicle design, and most of the data collection is happening at a level you cannot access or control through the infotainment screen.
A few practical considerations are worth keeping in mind. Older vehicles, particularly those built before the widespread adoption of embedded telematics in the mid-2000s, carry significantly less of this data risk. If you are privacy-conscious and the latest driver assistance features are not a priority, buying older and simpler is a genuine option.
If you are selling a vehicle, it is worth asking the dealership or a trusted mechanic whether a factory reset of the infotainment and telematics systems is possible and what it actually clears. In most cases, a reset wipes your personal accounts and saved destinations, but the deeper GPS log history in the telematics module itself may remain untouched.
And if you are buying used, particularly from private sellers or salvage auctions, it is worth being aware that the previous owner’s driving history may come along for the ride, literally stored in the hardware you just purchased.
The cars are listening. They always have been. The question is who else is listening along with them.