The tire pressure monitoring system (TPMS) is a great advancement in automotive technology. When it’s implemented well, there’s little guesswork in knowing if your tires are at safe pressures. Normally, you don’t have to think much about your TPMS until something breaks, but Spanish researchers want to sound an alarm about a potential vulnerability. It could be possible for a bad actor to use your car’s tire pressure sensors to see when your vehicle leaves a location. But before you panic, there’s good news.
This report comes to us from the IMDEA Networks Institute, and on the surface, it sounds like the stuff of dystopian science fiction. The institute published an eight-page peer-reviewed report supporting its claim. IMDEA Networks was founded by the Madrid Regional Government in 2006 to advance the science of computer networks. The institute says it largely focuses on research into network design, wireless communications, and cybersecurity, among other projects.
On February 25, the IMDEA Networks Institute published a wild headline that states “Your car’s tire sensors could be used to track you”. In its news publication, the institute said that it conducted a study over ten weeks where it successfully “collected signals from more than 20,000 vehicles,” and that common TPMS sensors have a critical vulnerability that could be exploited by hackers, criminals, governments, and others. Let’s take a look at this.
How Your Car Monitors Tire Pressure
Tire pressure monitoring systems have existed in the automotive world for 41 years. Schrader claims to have invented the first pressure monitoring system for cars in 1985, and that the first car to use a Schrader-branded TPMS was the 1997 Chevrolet Corvette C5. While Schrader says it invented the technology, Porsche was quicker in implementing it, as the 1986 Porsche 959 had a feature called Reifen Druck Kontrolle (Tire Pressure Control), which was developed by Bosch and PSK.
There are two general kinds of TPMS today.
Indirect TPMS utilizes the vehicle’s wheel speed sensors. This is the same system that feeds active safety systems like traction control and ABS. In an indirect TPMS, the vehicle monitors wheel rotation, and if it detects that a wheel is moving too slowly (overinflated) or is moving too quickly (underinflated) compared to the others, it’ll illuminate a warning on the vehicle’s instrument cluster.
Indirect TPMS isn’t measuring tire pressure at all. This is why the cars that have indirect TPMS can’t tell you what your tire pressures are, and can only warn you when the system thinks something is off. These systems are also less precise because they aren’t monitoring tire pressure. If you own a Volkswagen Group vehicle, there’s a chance you’re running indirect TPMS. As Bridgestone Americas says, indirect TPMS is cheaper to implement and maintain than direct TPMS.
That brings us to direct TPMS. This system utilizes battery-powered sensors that are mounted onto the wheels that measure tire pressure. Some sensors also measure tire pressure. These sensors send text data to a module in the vehicle, which interprets the data. Many vehicles use direct TPMS to display actual tire pressures and temperatures to the driver. Some vehicles have direct TPMS, but utilize only a TPMS light. Direct TPMS, while more expensive, tends to be more useful to the driver.
That communication part is important, from the IMDEA Networks Institute:
As there is no open dTPMS standard, dTPMS communication is based on proprietary protocols and simple modulation schemes (for instance, ASK or FSK at 315 MHz or 433 MHz). Each TPMS sensor transmits the information about tire pressure and identifier to the Electronic Control Unit (ECU), located inside the vehicle. Manufacturers like Toyota, Renault, Hyundai or Mercedes typically favor these systems over iTPMS. The length of the message varies depending on the manufacturer, but the dTPMS messages usually are 100 bits in length with a symbol rate of 20 kbps, which means that a full transmission takes 5 ms. A TPMS message contains the following fields: preamble, with common hex structures like 0x55555556 or 0xaaaaaaa9; textbfID, which is a 24 to 32 bit hexadecimal string with the dTPMS sensor identifier; temperature; pressure; different flags which may contain parameters like battery status; and a checksum.
Although the operation of these devices varies among different manufacturers, most of them transmit pressure information when sudden changes in tire pressure are detected or when the vehicle is moving. When the vehicle starts to move, motion sensors trigger the pressure sensor to start data transmission with a period of 30-120 seconds. Another way to trigger transmissions from a TPMS sensor is to send a pulse in the LF band (125 kHz), which is the operation principle of many TPMS monitoring tools used in repair shops.
The TREAD Act of 2000 mandated the use of monitoring systems. If you drive a car that was built on September 1, 2007, or later, you have a TPMS that’s silently working in the background. Alright, so that’s how TPMS works. How can it be used to track cars?
The Study
The IMDEA Networks Institute opens its study by talking about the ways in which people are being tracked through their activities with their car. The institute says that car manufacturers monitor the position of vehicles through cellular networks, normally for maintenance reasons. Meanwhile, the institute says, even if you aren’t driving a connected car, your phone reports its location data. Even if you drive a Ford Model T and refrain from using technology, your vehicle can still be tracked by the increasing number of license plate cameras posted on the side of the road.
IMDEA Networks says that this is a big deal because this data and imagery may not always be used in good faith. The information in the hands of government entities and corporations can be used to catch criminals and find lost dogs until it isn’t. IMDEA Networks even has an example, from the report:
Although continuous car tracking is becoming ubiquitous, it also comes with privacy risks. Car movement data entails a lot of private and sensitive information. Movement data provides insights into the everyday private lives of their owners. For example, in a recent data breach that affected four large European car brands[1], researchers were able to systematically observe the activities of police officers, military officials, or individuals visiting medical facilities, raising serious privacy concerns for those affected entities.
As of July 2022, some 54 countries have implemented regulations around United Nations Regulation No. 155, which established cybersecurity requirements for vehicle manufacturing and type approval. These regulations do not include TPMS sensors, and IMDEA Networks decided to see how much of a vulnerability there is. IMDEA Networks says that previous research had indicated that TPMS signals could be read from as far away as 40 meters from a car, but it wasn’t clear how much risk there was.
To test how big a deal this could be, IMDEA Networks acquired five RTL-SDR (software-defined radio) devices, which were then connected to Raspberry Pis. Open source rtl433 software was used for message decoding. The institute noted that it sourced all of the parts and software for its testing on the public market and that anyone could build a TPMS signal receiver for about $100 per receiver. Even data collection is easy, as you could connect the device to Wi-Fi, to Ethernet, or just have the receiver store the data on an SD card for later retrieval.
In its test, IMDEA Networks placed the five receivers in buildings in the same neighborhood near windows and pointed them at parking lots and roads. Distances between the receivers to the pavement ranged from 10 meters to 50 meters, and IMDEA Networks says that the receivers had no problem picking cars from 50 meters away. That’s without specialized equipment. The institute believes that, with an antenna designed specifically to pick up 433 MHz signals, the capture range could be extended even further.
Anyway, over the testing period of 10 weeks, the homebrew receivers caught six million TPMS messages from over 20,000 vehicles. IMDEA Networks also specifically tracked the data from 12 vehicles from volunteers. The institute took the data it received from the vehicles, plugged it into an algorithm, and was able to discover far more than you might expect from tire pressure monitoring. IMDEA Networks says that “TPMS transmissions can be used to systematically infer potentially sensitive information such as the presence, type, weight or driving pattern of the driver.”
To illustrate that, IMDEA Networks demonstrated what it was able to infer about some of the vehicles from the study:
We study the profile of four workers. This car is systematically seen at a fixed time at 8:00 am (except for a day) during the week and always leaves at 5:00 pm. Due to the working hours, we can deduce that this profile belongs to a full-time worker of the company. We can also extract more information from these patterns. On Day 12, they went outside to have lunch and we measured their car’s IDs at a time around 12:00 pm to 1:00 pm, as it took around 1 hour to have lunch. Another insight we can extract is that their car is never seen on Fridays, because they usually work from home on those days. Thus, from TPMS transmissions, we can also infer the remote/in-person work patterns of individuals.
[…]
In addition to regular working hours, we can also observe anomalies. First, on day 14 the driver left at their usual time, but appeared later in the evening. This can be explained because the driver attended a university course in the vicinity and on their way home, they passed through a road near the workplace. The next day, we can also see that the same driver attended another class and decided to go back through the same route. The second day, the workplace was still closed for holidays, and yet we were still able to capture transmissions from the nearby road.
[…]
The next case is of an external part-time worker, who comes a few days every week and does a shorter schedule than full-time workers. What is interesting is that we can capture TPMS transmissions every hour even when the vehicle was not moving. During our experiments we observe that each TPMS brand transmits with different strategies, as it can be seen in both Fig. 7b and Fig. 7. We observe that the TPMS sensors used by Toyota tend to transmit continuously, brands like Ford or Nissan do it less regularly, and brands like Renault only transmit when movement is detected on wheels.
The good news is that, as the institute notes, all of this is only hypothetical and inferences. The volunteers gave nothing but their permission to track their cars. Thus, IMDEA Networks doesn’t know their identities or what they actually do. TPMS cannot provide that data. However, the institute thinks it’s a big deal that its researchers were even able to get this far by taking consumer electronics and reading tire pressure data.
Why IMDEA Networks Thinks This Is A Threat
Why was the institute able to do this? IMDEA Networks says that TPMS transmissions are not encrypted or secured in any meaningful way, and they also carry unique identifiers. The institute continues:
Malicious users could deploy passive receivers on large scales and track citizens without their knowledge. The advantage of such a system, over more traditional camera-based ones, is that no direct line-of-sight is needed with the TPMS sensors and spectrum receivers could be placed in covert or hidden locations, making them harder to spot by victims. A data mining company could deploy receivers, gain insight on the types of traffic and routes taken, and then sell that data, all without the knowledge of the users (the drivers).
By establishing such a network of spectrum devices over a city, malicious users could track cars and infer behavioral patterns. In fact, another type of attack that results from passive surveillance could be for burglars in suburban residential areas. By tracking the vehicles of each household, they could infer the schedule and pattern of a particular household and take advantage of their absence. Finally, by combining passive monitoring with active spoofing, threat actors could track logistics trucks, spoof flat tire alerts to force stops, and then hijack the cargo.
Additionally, IMDEA Networks says, if a broad receiver network is combined with photo surveillance or physical addresses, it could be used to stalk specific people on a more personal level. IMDEA Networks notes that there have been proposals to secure TPMS, but to the institute’s knowledge, there’s no vehicle in production that does this, and no regulation for it, either. So, the institute hopes that, with this report, perhaps governments or auto manufacturers may consider improving TPMS security.
A Lot Of Work To Burgle A Home
Before you start yanking your tire pressure sensors out, you should know that there’s another side to this. As it currently stands, using tire pressure to stalk people is really impractical. If a burglar wants to break into your house, they probably aren’t going to set up a network of radios at $100 a piece to track your tires to see when you leave home. There are other, easier methods to figure that out.
IMDEA Networks talks about bandits using these hypothetical trackers to hijack trucks or to follow specific people. But remember, the bad guys would have to set up an entire network of receivers, spanning who knows how many miles, in order for that to work in reality. Again, there are easier ways to achieve this.
Likewise, if a government or corporation wants to monitor you, well, other methods already exist. As the study also states, TPMS doesn’t reveal private details like your identity. Simply placing cameras next to the road, something that already happens in much of America and Europe, already generates so much information.
However, the study is still fascinating in the sense of what you could infer from tire surveillance. The fact that you could even determine when a certain car is going to appear in or leave certain places is pretty interesting. So, IMDEA Networks seems to have a valid point that these sensors could be more secure. Now, I imagine that many Autopians are going to feel even better about driving something like a two-stroke Saab over anything modern.
Top graphic image: DepositPhotos.com
“But remember, the bad guys would have to set up an entire network of receivers, spanning who knows how many miles, in order for that to work in reality.”
So…the next article is on Flock cameras?
I’ll worry much more about this when we all stop carrying candy-bar-shaped tracking devices in our pockets. Much like no one bothers to crack passwords anymore because it’s so much easier and more cost-effective to just social engineer someone to give you their password, I doubt anyone is going to bother with this when they could just set up a bluetooth hotspot and watch for your phone to enter or leave it.