- Joined
- Jul 10, 2008
- Messages
- 67,376
- Points
- 113
telegraph.co.uk
James Titcomb
4–5 minutes
Electric cars made by a best-selling Chinese brand are recording drivers’ every journey and storing them forever, it has emerged.
Security researchers were able to extract the entire location history of a BYD Seal car sold in the UK, from its production in China to its eventual dismantling.
While the company said it was not transmitting location data overseas, experts said the ease with which location history could be obtained represented a security risk.
Chinese electric vehicles (EVs) have raised security concerns in the past, and have been largely excluded from the US market and banned from military bases in Poland.
Britain has welcomed the arrival of cheap Chinese cars, resisting pressure to put tariffs on them, although EVs are banned from some military sites owing to security fears.
BYD is the world’s biggest maker of electric cars and sold 51,422 vehicles in Britain last year.
Researchers at cybersecurity company Quarkslab removed microchips from the onboard telematics unit of a BYD Seal sold in Britain and subsequently dismantled in Poland after a crash.
The car’s GPS data were recorded several times a second and stored alongside the time it was recorded, according to the researchers, allowing them to recreate a map of its life, including the crash that led the car to be written off.
Romain Marchand, an analyst at Quarkslab, said: “By parsing the GNSS [location] logs, we reconstructed the full life of the vehicle from its production in a factory in China, through its operational life in the United Kingdom, to its final dismantling in Poland.
“Every movement and stop along the way is captured in the logs, giving a complete picture of the vehicle’s journey.”
He added: “The major flaw with this particular telematics unit is that it was relatively easy to extract location data from. With a little more effort at security by the manufacturer, this should not have been possible.
“It comes to a question of trust; do we trust Chinese manufacturers with our location data? We are clearly more comfortable with US and European brands doing so.”
Mr Munro suggested that the vulnerability could break EU laws requiring radio equipment to have safeguards protecting personal data. The Radio Equipment Directive also applies in Northern Ireland.
He said the company had recently carried out testing for a Western carmaker to make sure it complied with the laws and found it had significantly greater privacy protections.
BYD says it does not send personal data from Europe or the UK to China.
John Hemmings, of the Henry Jackson Society, a national security think tank, said: “There are very serious concerns with Chinese BYD vehicles as they are essentially computers on wheels.
“There should be serious restrictions about their use by government ministers whose conversations are at risk of capture and by military officials whose work might require them to drive inside bases and other secure locations.”
BYD said it complied with security regulations, that it protected location data stored on the vehicle, and did not send it over the internet.
It said it collected personal data “solely for the purpose of providing services to the user” and that “no historical data is stored on our cloud servers”.
“BYD attaches great importance to user privacy,” a spokesman said.
Best-selling Chinese electric car records everywhere you’ve been
James Titcomb
4–5 minutes
Electric cars made by a best-selling Chinese brand are recording drivers’ every journey and storing them forever, it has emerged.
Security researchers were able to extract the entire location history of a BYD Seal car sold in the UK, from its production in China to its eventual dismantling.
While the company said it was not transmitting location data overseas, experts said the ease with which location history could be obtained represented a security risk.
Chinese electric vehicles (EVs) have raised security concerns in the past, and have been largely excluded from the US market and banned from military bases in Poland.
Britain has welcomed the arrival of cheap Chinese cars, resisting pressure to put tariffs on them, although EVs are banned from some military sites owing to security fears.
BYD is the world’s biggest maker of electric cars and sold 51,422 vehicles in Britain last year.
Researchers at cybersecurity company Quarkslab removed microchips from the onboard telematics unit of a BYD Seal sold in Britain and subsequently dismantled in Poland after a crash.
The car’s GPS data were recorded several times a second and stored alongside the time it was recorded, according to the researchers, allowing them to recreate a map of its life, including the crash that led the car to be written off.
Romain Marchand, an analyst at Quarkslab, said: “By parsing the GNSS [location] logs, we reconstructed the full life of the vehicle from its production in a factory in China, through its operational life in the United Kingdom, to its final dismantling in Poland.
“Every movement and stop along the way is captured in the logs, giving a complete picture of the vehicle’s journey.”
‘A question of trust’
Ken Munro, of cyber security group Pen Test Partners, said that while many cars store location data, “these are generally well secured”.He added: “The major flaw with this particular telematics unit is that it was relatively easy to extract location data from. With a little more effort at security by the manufacturer, this should not have been possible.
“It comes to a question of trust; do we trust Chinese manufacturers with our location data? We are clearly more comfortable with US and European brands doing so.”
Mr Munro suggested that the vulnerability could break EU laws requiring radio equipment to have safeguards protecting personal data. The Radio Equipment Directive also applies in Northern Ireland.
He said the company had recently carried out testing for a Western carmaker to make sure it complied with the laws and found it had significantly greater privacy protections.
BYD says it does not send personal data from Europe or the UK to China.
John Hemmings, of the Henry Jackson Society, a national security think tank, said: “There are very serious concerns with Chinese BYD vehicles as they are essentially computers on wheels.
“There should be serious restrictions about their use by government ministers whose conversations are at risk of capture and by military officials whose work might require them to drive inside bases and other secure locations.”
BYD said it complied with security regulations, that it protected location data stored on the vehicle, and did not send it over the internet.
It said it collected personal data “solely for the purpose of providing services to the user” and that “no historical data is stored on our cloud servers”.
“BYD attaches great importance to user privacy,” a spokesman said.
