BYD is the world’s biggest maker of electric vehicles and recently hit the headlines by overtaking American giant Ford in global sales.
Researchers at cybersecurity company Quarkslab removed microchips from the onboard telematics unit of a BYD Seal sold in Britain and subsequently dismantled in Poland after a crash.
The car’s GPS data was recorded several times a second and stored alongside the time it was recorded, according to the researchers, allowing them to recreate a map of its life, including the crash that led the car to be written off.
Romain Marchand, an analyst at Quarkslab, said: “By parsing the GNSS [location] logs, we reconstructed the full life of the vehicle from its production in a factory in China, through its operational life in the United Kingdom, to its final dismantling in Poland.
“Every movement and stop along the way is captured in the logs, giving a complete picture of the vehicle’s journey.”
Ken Munro, of cyber security group Pen Test Partners, said that while many cars store location data, “these are generally well secured”.
He added: “The major flaw with this particular telematics unit is that it was relatively easy to extract location data from. With a little more effort at security by the manufacturer, this should not have been possible.
“It comes to a question of trust; do we trust Chinese manufacturers with our location data? We are clearly more comfortable with US and European brands doing so.”
Munro suggested that the vulnerability could break EU laws requiring radio equipment to have safeguards protecting personal data. The Radio Equipment Directive also applies in Northern Ireland.
He said the company had recently carried out testing for a Western carmaker to make sure it complied with the laws and found it had significantly greater privacy protections.
BYD says it does not send personal data from Europe or the UK to China.
John Hemmings, of the Henry Jackson Society, a national security think tank, said: “There are very serious concerns with Chinese BYD vehicles as they are essentially computers on wheels.
“There should be serious restrictions about their use by government ministers whose conversations are at risk of capture and by military officials whose work might require them to drive inside bases and other secure locations.”
BYD said it complied with security regulations, that it protected location data stored on the vehicle, and did not send it over the internet.
It said it collected personal data “solely for the purpose of providing services to the user”, that “no historical data is stored on our cloud servers”, and that “BYD attaches great importance to user privacy”.
– The Telegraph
Sign up to Herald Premium Editor’s Picks, delivered straight to your inbox every Friday. Editor-in-Chief Murray Kirkness picks the week’s best features, interviews and investigations. Sign up for Herald Premium here.
