Driving Blind: The Hidden Privacy Risks in Your Vehicle

The local vehicle junkyard is a treasure chest for classic car hobbyists and garage owners looking for hard-to-find spare parts. But also hiding in plain sight among the wrecked chassis and scrap metal is a cornucopia of private information which – if it falls into the wrong hands – could be used to expose drivers’ intimate secrets and personal details.

This is because the cars we drive have morphed into mobile computing hubs that collect, process, and exchange enormous amounts of vehicle data. With the addition of vehicle microphones, cameras and other sensors, the magnitude of private information collected by software-defined vehicles (SDVs) has never been higher. If you’re driving a smart SDV, chances are your privacy is at risk.

As consumers and regulators become more aware of the data being gathered by car manufacturers and application providers, data privacy is evolving into a “must have” feature for OEMs and consumers.  

Vehicle junkyard or hacker’s paradise?

Recent security research published by the PlaxidityX Threat Research Lab shows exactly how vehicle software and poor data security practices expose the privacy of drivers’ personal data. The report findings demonstrate the alarming ease with which highly sensitive personal information – including driver locations, contact details, family healthcare information, work addresses, and even Spotify music preferences – can be extracted from a highly popular Chinese electric vehicle.

The goal was to explore how deep a hacker could penetrate into a person’s private life by simply examining the data collected by their car. We started our journey at the local vehicle junkyard. Our haul included an unwiped multimedia head unit (IVI) from a 2023 model BYD ATTO 3. This was a perfect research candidate – both due to the model’s popularity and the fact that Chinese OEMs are generally less meticulous when it comes to data privacy.

We connected to the IVI in our laboratory  and started to investigate the data it stores and processes. To our surprise, none of the information was encrypted or zipped, nor were strong passwords used. This sets a dangerously low bar for any hacker looking to access the data and log files. The message for drivers is clear – don’t assume the data your vehicle collects is protected and don’t think this couldn’t happen to you. 

During our research, we also discovered a faulty encryption implementation vulnerability in the system log dump feature of BYD’s DiLink 3.0 OS (e.g. in the model ATTO3). This discovery was responsibly disclosed to BYD and subsequently published by ASRG (CVE-2025-7020). 

A cornucopia of private information

The magnitude and level of detail of private data we found in the vehicle logs were mind-blowing. The data taken from the driver’s phone included a full contact list with metadata indicating relationships. For example, we found the names and contact details of her father, mother and siblings. We learned she has a neonatal doctor which means she has a baby, and we know the name of her pharmacist. Her favorite radio stations and Spotify songs let us know that she is a fan of Sabrina Carpenter and Billie Eilish. 

We were also able to extract her full cellular identity (CCID, IMSI, MAC and IMEI), which has far-reaching implications with respect to potential identity theft and other privacy violations.

A year’s worth of GPS tracking data informed us of every place she visited over the past year within one block based on her car’s location. This could allow a hacker to create a heat map from which to deduce a driver’s home address, place of work or even the meeting place for a suspected affair.

We used her phone number to retrieve her selfie from her Truecaller caller ID and spam blocking app. This is just one of many widely available methods that can be used to immediately translate a phone number into an owner’s name and picture. Selfies can also be obtained by hacking into internal car cameras used to monitor driver alertness (our research didn’t explore this vector).

Your private information might be on its way to China

Our research showed that a driver’s private information can be accessed by any hacker in a straightforward manner from any BYD without the need for sophisticated tools. What’s more, we saw that all this information is being reported in an ongoing manner to Chinese servers via a pre-installed GSM modem. For BYD drivers, this fact alone might be sufficiently disturbing to prompt them to ask BYD not to report their information. 

At the geopolitical level, this flow of private information to China could raise serious national security and cyber espionage concerns. The US Department of Commerce final rule banning the sale or import of connected vehicle hardware and software originating from China or Russia has heightened awareness of the need to restrict data flows to foreign adversaries. In this context, personal information collected from vehicles could potentially be used to compromise government or military officials.

Data privacy enforcement for vehicles is still behind the curve

Data privacy regulations, most notably GDPR, are designed to give individuals more control over their personal data—i.e., any information relating to an identified or identifiable natural person—and to establish a single set of data protection rules across the EU. Unlike other commercial sectors, enforcement of data privacy regulations in the automotive industry still appears to be in the formative stages.

Research by Mozilla stated that modern cars are “the worst product category we have ever reviewed for privacy,” due to poor data protection practices by OEMs. Despite almost every automotive vendor appearing on Mozilla’s “Privacy Not Included” list, only three fines have so far been issued to automotive companies under GDPR: 

• In 2022 VW was fined €1.1 million for using footage of pedestrians to train its ADAS system without getting consent 
• In 2023 Volkswagen Leasing GmbH was fined €40,000 for failing to provide a customer with his private data held by the company
• In 2024 Toyota Bank Polska, a Toyota’s Polish financing subsidiary, was fined €18,000 for failing to report a data breach within the required 72 hours after the breach.

What’s behind this discrepancy? A big reason is the lack of specific requirements on how to protect the data (i.e., encryption). While GDPR does define minimal required security measures for transmitting and storing private data, GDPR does not focus on protecting consumers (or businesses) from a bad actor (this is covered by other regulations such as UNR 155). 

For example, the regulation does not specify the encryption strength. Thus, if the OEM sets the Wi-Fi password as 1 2 3 4 5 6, it has complied with the requirement for a password. But this does not mean that your data is protected. 

Moreover, data privacy regulations require companies to explicitly ask users for consent to collection of private information such as location and contacts. In our research, even after resetting the unit to factory default, we were not prompted for this type of consent. We also confirmed that this omission is still prevalent in BYD vehicles on the road today.

Implications for car owners

Responsibility for improving data protection goes beyond the OEMs. Say you’re vacationing in Europe for two weeks with a rental car. Are you sure you want to connect your phone to the car’s multimedia system? Do you really want to take the chance that your data might be exposed or reported to a backend server? Do you know the level of data protection for the vehicle you rented? Probably not. 

Driver awareness is crucial for protecting personal information. If you absolutely must hook up your phone in a rental car, make sure that you (or the rental company) wipe all the data when you return the vehicle. The same risk exists for OEM-backed leasing arrangements, or even when you sell your privately-owned car. Before your car changes hands, verify that all your personal and driving behavior data is wiped clean.

Bottom Line

The PlaxidityX research leaves no doubt that vulnerabilities in automotive software subject drivers to real risks by exposing their most intimate personal information to hackers and OEMs in China and elsewhere. 

And the issue isn’t going away. Vendors will continue to collect data in order to improve their offerings, troubleshoot their products and extend their monetization avenues. Users are willing to share their personal information, provided they are given good products and services in return. 

Part of the solution is greater transparency between consumers and OEMs. Vendors should work to implement – and customers should demand – clearer communication regarding what information is collected, to what extent and for what purpose. For instance, a standard that defines a method for requesting consent at the moment of collection, similar to Android’s “dangerous permissions” mechanism.

Awareness of this risk is crucial for making sure that OEMs take the right steps to protect drivers’ private data. While safety will always come first, we expect data protection to become a key competitive requirement for OEMs moving forward.