Data transmissions from tire pressure sensors can be intercepted using inexpensive equipment strategically placed along roadways, according to a study by academic researchers.
The Tire Pressure Monitoring System (TPMS), which is now mandated in vehicles globally for enhanced safety and maintenance, transmits a unique identifier in clear text. This vulnerability makes the transmissions susceptible to eavesdropping and potential tracking.
Researchers from Spain, Switzerland, and Luxembourg have published a study demonstrating how low-cost receivers can capture these unencrypted transmissions to deduce vehicle movement patterns.
Over the course of 10 weeks, the team deployed five receivers that successfully captured more than 6 million TPMS messages from around 20,000 vehicles.
Since the unique identifier transmitted by the TPMS remains constant throughout the tire's lifespan, the researchers were able to correlate the signals to specific vehicles and track a verified set of cars.
“Our results indicate that TPMS transmissions can be utilized to systematically infer potentially sensitive information such as the presence, type, weight, or driving patterns of the driver,” the researchers stated.
With each receiver costing approximately $100, the tracking system is relatively affordable. The researchers argue that automakers should reconsider using plain text wireless transmission methods.
“TPMS transmissions are sent without encryption or secure mechanisms and include a unique identifier. This enables anyone with budget-friendly equipment, such as a low-cost spectrum receiver and a standard antenna, to capture and track these signals over time and distance,” they added.
The researchers caution that malicious actors could deploy such receivers on a large scale for mass tracking of drivers. They could combine passive tracking with active spoofing of sensor signals, potentially sending false flat tire alerts to trucks, forcing them to stop and hijack their cargo.
According to the researchers, an attacker could also associate TPMS sensors with specific individuals, allowing for targeted tracking using publicly available software-defined radios.
“Attackers can exploit this information to learn, predict, and manipulate a person’s movements, points of interest, and behavior patterns,” they concluded.
