← Vehicles
F

BYD Atto 3

Hidden SIM card lets someone call in and listen to your car. Chinese intelligence law applies.
Fail
BYD · 🇨🇳 China · Cellular + WiFi + Bluetooth
PolicyApp PermissionsNetwork TrafficFirmwareRegulatory
Technical details
FCC ID: SD4-DILINK6125F
Chipset: Qualcomm QCM6125
App: com.byd.bydautolink
Manufacturer: BYD
Model: Atto 3
🚫
Banned in the US
This product is banned or effectively prohibited from sale in the United States due to national security concerns.

⚠️ The bottom line

BYD publicly told Australian customers they don't collect driving data, but their own privacy policy says they collect your speed, braking, acceleration, where you go, and how far you drive. The company is directly contradicting its own written privacy statement. BYD promises 'privacy first,' but as a Chinese company they are legally required by China's intelligence law to hand over data if the Chinese government asks. Multiple governments including Australia, the UK, and the US treat Chinese connected vehicles as security threats. BYD cannot guarantee 'privacy first' while being legally compelled to cooperate with Chinese intelligence.

Legal jurisdiction
🇨🇳 China (headquarters)
National Intelligence Law read more →
Company must secretly hand data to Chinese intelligence on request
Data Security Law read more →
State can classify any data as 'important' and demand access for national security
Spying
4/4 EXTREME
Is someone spying on me?
Data Sharing
4/4 EXTREME
Who gets my data?
Security
4/4 EXTREME
Is it actually secure?
Honesty
2/4 MODERATE
Can I trust what they say?
REPLACE Extreme risk. Look for alternatives or lock down hard.
10Contradictions
4Critical
5High
1Medium
3Sources
Findings by concern
Spying 4/4 EXTREME 5 findings
⚠️ criticalpolicy claims vs firmware analysis
BYD says your data stays in Australia, but the car's software has a Chinese server address (global-api.bydauto.com.cn) built into it. Security researchers found the car sends data to the cloud without encryption, and BYD can remotely update the software to change what it collects or where it sends data — all without telling you.

What they claim: BYD states data is stored 'in Australia' on AWS infrastructure and claims not to transfer customer data to Chinese headquarters.

What we found: Firmware hardcoded endpoints include 'global-api.bydauto.com.cn' — a Chinese domain. CVE-2025-28169 documents unencrypted broadcasts from DiLink to cloud servers, meaning data in transit could be intercepted. The DiLink 3.0F FCC filing (SD4-DILINK6125F) was tested by GRG Metrology & Test Group Co., Ltd. in Shenzhen, China. OTA update capability means BYD can remotely change what data is collected and where it's sent without owner notification.

⚠️ criticalapp permissions vs firmware analysis
The BYD app can access your phone's microphone and camera. In 2024, an Australian owner discovered someone could call the car's hidden SIM card and listen to conversations inside the vehicle — with no warning on the dashboard. The car couldn't even hang up the call. Combined with a security flaw that lets attackers bypass the car's security, there are multiple ways someone could spy on you through your car.

What they claim: The BYD AUTO app requests RECORD_AUDIO (microphone access) and CAMERA permissions for a vehicle companion app.

What we found: In October 2024, an Australian BYD owner discovered the car's internal Telstra SIM could be dialled from an external phone, enabling audio eavesdropping from inside the vehicle with no on-screen indication. The owner could not hang up the covert call from inside the car. Combined with the app's RECORD_AUDIO permission and CVE-2024-46442 (authentication bypass on DiLink headunit), there are multiple vectors for audio surveillance of vehicle occupants.

⚡ highapp permissions vs policy claims
BYD says they don't share your data with third parties, but their app includes four different advertising tracking permissions. These permissions exist specifically to share your data with advertising networks. Why would a car app need advertising tracking if they don't share data with ad companies?

What they claim: BYD states 'We do not share your any personal data to the below third parties' and claims minimal data collection.

What we found: The BYD AUTO app (com.byd.bydautolink v3.2.4) requests 44 permissions including: CAMERA, RECORD_AUDIO (microphone), READ_CALENDAR/WRITE_CALENDAR, READ_PHONE_STATE, ACCESS_FINE_LOCATION, and advertising permissions (ACCESS_ADSERVICES_AD_ID, ACCESS_ADSERVICES_ATTRIBUTION, ACCESS_ADSERVICES_CUSTOM_AUDIENCE, AD_ID). The presence of four separate advertising/attribution permissions indicates data sharing with ad networks despite the 'no sharing' claim.

⚡ highapp permissions vs policy claims
BYD's car app can read and change your phone's calendar — but nowhere does BYD explain why a car needs to know your schedule. Combined with GPS tracking of everywhere you drive and when, BYD could build a complete picture of your daily life: where you go, when, and what you have planned.

What they claim: BYD's Vehicle Privacy Statement mentions collecting 'camera' and 'microphone' data for 'normal use of corresponding functions' without specifying what those functions are.

What we found: The BYD AUTO app requests READ_CALENDAR and WRITE_CALENDAR permissions — the ability to read and modify your phone's calendar. No BYD privacy policy or vehicle documentation explains why a car app needs to read your calendar, your phone identity (READ_PHONE_STATE), or write to your calendar. These permissions provide a pattern-of-life profile: where you drive (GPS), when you drive (trip data), and what you have planned (calendar).

⚡ highregulatory findings vs policy claims
Even though BYD says your data is stored in Australia on Amazon's servers, the Chinese government could legally compel BYD employees with access to those servers to secretly copy your data. BYD is also adding DeepSeek AI to its cars — the same Chinese AI company that raised global security alarms. Where data is stored matters less than who has the keys to it.

What they claim: BYD's Australian Vehicle Privacy Statement states data is processed and stored in Australia using AWS infrastructure.

What we found: BYD has partnered with DeepSeek to integrate its AI into vehicles, raising additional data security concerns. BYD's FCC filing was tested in Shenzhen, China. The Australian Privacy Watchdog is actively investigating car brands over data-harvesting. China holds 78% of Australia's battery EV market, creating systemic surveillance risk. BYD's privacy promise of Australian data storage is technically possible via AWS Sydney/Melbourne, but China's National Intelligence Law could compel BYD engineers with AWS access to exfiltrate data regardless of storage location.

Data Sharing 4/4 EXTREME 2 findings
⚠️ criticalpolicy claims vs regulatory findings
BYD promises 'privacy first,' but as a Chinese company they are legally required by China's intelligence law to hand over data if the Chinese government asks. Multiple governments including Australia, the UK, and the US treat Chinese connected vehicles as security threats. BYD cannot guarantee 'privacy first' while being legally compelled to cooperate with Chinese intelligence.

What they claim: BYD's EU page states 'At BYD, we take a Privacy First approach' and the Vehicle Privacy Statement says 'We do not sell your personal data to anyone for any purpose, period.'

What we found: China's National Intelligence Law (2017) Article 7 requires all Chinese organisations to 'support, assist and cooperate with the state intelligence work.' BYD Auto Industry Company Limited is headquartered in Shenzhen, China. ASPI analysis confirms Chinese EVs are 'a rolling security threat.' The Australian Protective Security Policy Framework bans public servants from syncing phones to BYD vehicles. The UK MOD placed warning stickers on vehicles with Chinese components: 'Avoid conversations above OFFICIAL within vehicle.'

⚫ mediumpolicy claims vs app permissions
BYD's app can use ultra-wideband technology to track your exact position to within centimetres, and can collect motion sensor data from your phone at maximum speed. None of this is mentioned in BYD's privacy policy. Even if they don't sell this data, they're collecting far more than they tell you about.

What they claim: BYD's Vehicle Privacy Statement says 'We do not sell your personal data to anyone for any purpose, period.'

What we found: The BYD AUTO app includes UWB_RANGING (ultra-wideband ranging) and HIGH_SAMPLING_RATE_SENSORS permissions, enabling precise physical tracking and high-frequency sensor data collection beyond what any privacy policy discloses. UWB can track users to centimetre accuracy. HIGH_SAMPLING_RATE_SENSORS enables collecting accelerometer, gyroscope, and other motion data at maximum frequency — useful for detailed behavioural profiling but undisclosed in privacy documentation.

Security 4/4 EXTREME 2 findings
⚡ highfirmware analysis vs policy claims
BYD claims they carefully manage all the software in your car, but security researchers found your personal data and location were leaking through system logs. When BYD tried to fix this, their patch actually created a new security hole that exposed even more personal data. This is the opposite of careful management.

What they claim: BYD's EU page claims 'BYD manages all third-party software that processes your data' and emphasises data minimization.

What we found: CVE-2024-54728 reveals incorrect access control allowing unauthorised access to system logcat logs containing sensitive data. CVE-2025-7020 (confirmed affecting BYD ATTO 3) shows that BYD's own patch to fix CVE-2024-54728 introduced a new vulnerability — incorrectly encrypted log dumps exposing PII and location data. This demonstrates inadequate software security management where fixes create new vulnerabilities, contradicting the 'managed' claim.

⚡ highfirmware analysis vs regulatory findings
The BYD Atto 3's computer system has four known security flaws, including one that lets attackers bypass security and another that sends your data unencrypted. Multiple countries' military and security agencies have flagged BYD vehicles as security risks. Despite all this, at least one vulnerability in the Atto 3 remains unpatched.

What they claim: BYD DiLink 3.0 runs Android 10 with LTE/4G, WiFi, Bluetooth, and GPS — an always-connected vehicle computing platform.

What we found: CVE-2024-46442 allows authentication bypass via brute-force on the DiLink headunit. CVE-2025-28169 (CVSS 8.1) reveals unencrypted vehicle-to-cloud communications enabling MITM attacks. The Israeli Defence Forces halted BYD vehicle supply over cybersecurity concerns. The US House Committee on Homeland Security raised national security risks of BYD vehicles. Despite 4 CVEs in DiLink, the Atto 3 remains unpatched for CVE-2025-7020 as of the advisory date.

Honesty 2/4 MODERATE 1 finding
⚠️ criticalpolicy claims vs policy claims
BYD publicly told Australian customers they don't collect driving data, but their own privacy policy says they collect your speed, braking, acceleration, where you go, and how far you drive. The company is directly contradicting its own written privacy statement.

What they claim: BYD spokesperson told Australian media 'data is not collected from Australian BYD owners on how they drive or use their vehicle.'

What we found: BYD's own Vehicle Privacy Statement (byd.com/au/privacy-statement-of-byd-vehicle) explicitly states: 'We collect driving data about your vehicle such as speed, acceleration, and braking data; direction of travel; trip data (mileage, date, location).' Also collects GPS location, seatbelt status, steering data, and cabin environmental data.

Sources