When considering how their movements might be tracked, most people think of smartphone apps, GPS services, or roadside cameras. However, the tires of their vehicles rarely come to mind.
Researchers from IMDEA Networks Institute, in collaboration with European partners, have discovered that Tire Pressure Monitoring System (TPMS) sensors embedded in vehicle wheels emit unencrypted wireless signals that contain persistent identifiers.
Each TPMS sensor transmits a unique ID that remains constant, enabling the same vehicle to be recognized and tracked over time.
Establishing a Low-Cost Monitoring Network
To investigate this issue, the researchers set up a network of low-cost software-defined radio receivers in proximity to roads and parking areas, with each receiver costing around $100.
During a ten-week study, the system captured over six million TPMS messages from more than 20,000 vehicles. These sensors are designed for low-power transmission, and tests showed that their signals could be detected from distances greater than 50 meters.
The research team devised methods to correlate signals from all four tires of a vehicle, which increased the likelihood that repeated detections pertained to the same car.
The extensive data collection allowed for the consistent observation of specific identifiers at particular locations. When identical tire IDs were detected repeatedly at similar times, it became possible to associate them with the regular presence of a vehicle. This led to the identification of habitual arrival times and parking patterns.
This monitoring setup did not rely on cellular data, GPS feeds, or license plate recognition systems. Instead, TPMS signals are automatically transmitted whenever the vehicle is in operation, and drivers are unaware that these signals can be intercepted.
The researchers cautioned, “Malicious users could deploy passive receivers on a large scale to track individuals without their consent. The advantage of such a system, compared to traditional camera-based tracking, is that it does not require a direct line of sight to the TPMS sensors, allowing receivers to be placed in covert locations, making them difficult for victims to detect.”
A network of radio receivers throughout a city could potentially track vehicles and construct profiles of their movements over time. In residential areas, ongoing monitoring of household vehicles could expose daily routines and times of absence, which could, in turn, create opportunities for burglaries.
Additionally, TPMS transmissions provide tire pressure readings, which may hint at the type of vehicle or its load conditions. Such insights could make specific vehicles more appealing targets for criminals. For instance, an attacker could follow logistics trucks, send false alerts about flat tires to induce unscheduled stops, and exploit the resulting disruption to target the cargo.
A Mandatory Safety Feature
TPMS was introduced as a safety feature and is required in numerous markets worldwide. Its primary function is to monitor tire pressure and alert drivers to unsafe conditions.
More than 50 countries, including all EU member states and several OECD nations, have enacted vehicle cybersecurity regulations under United Nations Regulation No. 155.
This framework mandates that automakers implement certified cybersecurity management systems and address risks to vehicle data, including identity and location information. However, TPMS is not included within the certification scope.
Despite proposals to enhance privacy protections for TPMS sensors, researchers found no evidence that manufacturers have implemented any changes. They are urging legislators, policymakers, and automakers to take action to improve the privacy and security of tire pressure monitoring systems.
