Data transmissions from tire pressure sensors can be captured using low-cost equipment placed along roads to track drivers, academic researchers have demonstrated.
The Tire Pressure Monitoring System (TPMS), which is now mandatory in vehicles worldwide for improved safety and maintenance, transmits a unique identifier in clear text, exposing the transmissions to eavesdropping and potential tracking.
Academics from Spain, Switzerland, and Luxembourg have published a research paper (PDF) on how low-cost receivers can be used to capture these unencrypted passive transmissions to infer car movement patterns.
They deployed five receivers that, for 10 weeks, captured over 6 million TPMS messages from approximately 20,000 vehicles.
Because the unique identifier transmitted by the TPMS does not change throughout the life of the tire, the researchers were able to match the signals to cars and track a set of verified cars.
“Our results show that TPMS transmissions can be used to systematically infer potentially sensitive information such as the presence, type, weight, or driving pattern of the driver,” the academics note.
Easily deployable, each receiver costs roughly $100, making the tracking system rather affordable and demonstrating that car makers should reconsider the use of plain text wireless transmission, the researchers explain.
“TPMS transmissions are sent without any encryption or secure mechanisms and include a unique identifier. This allows anyone with affordable equipment like a low-cost spectrum receiver and a standard off-the-shelf antenna to capture and track them throughout time and space,” the academics say.
The researchers argue that attackers could deploy such receivers at scale for mass tracking of drivers. Attackers could combine the passive tracking with active spoofing of sensor signals, sending fake flat tire alerts to trucks to force stops and hijack their cargo, the academics note.
According to the researchers, an attacker could also link TPMS sensors with a specific person of interest, for targeted tracking using publicly available software-defined radios.
“Attackers can use this information to learn, predict, and exploit a person’s movements, points of interest, and behavior patterns,” they note.
Related: Old Attack, New Speed: Researchers Optimize Page Cache Exploits
Related: WhisperPair Attack Leaves Millions of Audio Accessories Open to Hijacking
Related: ‘ZombieAgent’ Attack Let Researchers Take Over ChatGPT
Related: Researchers Expose WHILL Wheelchair Safety Risks via Remote Hacking
