Hackers can now track your car's location through tire pressure sensors

$100 DIY device can intercept TPMS data from 50 meters away

Serving tech enthusiasts for over 25 years.
TechSpot means tech analysis and advice you can trust.

In brief: Recent security incidents have proven that internet-connected cars can be tracked and even hijacked by hacking their advanced infotainment systems, wireless keys, and the cloud servers of their manufacturers. However, researchers have also discovered serious vulnerabilities in an overlooked area: the systems that electronically monitor tire pressure can leak location data.

The device in many automobiles that warns drivers when their tire pressure is low transmits the data in unencrypted cleartext and carries a unique identifier for each vehicle. Researchers from IMEDA Networks and several European universities recently discovered that relatively inexpensive wireless devices can track Tire Pressure Monitoring System (TPMS) signals to spy on drivers covertly over extended periods.

Major automakers, including Toyota, Renault, Hyundai, and Mercedes, favor Direct TPMS (dTPMS) devices – battery-powered pressure sensors embedded within wheel rims or tire liners. In contrast with Indirect TPMS, which simply calculates wheel pressure via speed sensors, dTPMS directly transmits tire pressure and temperature information to a vehicle's electronic control unit (ECU) in packets of around 100 bits.

The researchers found that portable devices costing as little as $100 can detect the packets from over 50 meters away. Determined hackers could assemble them using off-the-shelf antennas and Raspberry Pi components, then covertly place them along roads to harvest signals from passing vehicles.

Hiding the receivers along known routes might enable someone to analyze traffic and learn daily routines without resorting to cameras, creating significant privacy risks. Although unique TPMS identifiers are difficult to discern in traffic, isolating the ID at a person's residence would enable potential attackers to track specific vehicles over days or weeks.

The implications are manifold. For example, thieves could learn the routes and schedules of delivery and cargo trucks to find the best opportunity to hijack them. They could also estimate cargo weight by comparing tire-pressure readings against baseline values for specific vehicle models. It might even be possible to spoof flat-tire warnings to the ECU, forcing a vehicle to stop for hijackers lying in wait. Since drivers cannot control TPMS signals, companies could also monitor employees' vehicles without their consent, and authorities could use the signals to conduct mass surveillance.

// Related Stories

• A developer accidentally gained control of more than 10,000 DJI devices
• Apple launches new AirTag with longer range and improved "Find My"

Automakers and governments have tightened cybersecurity measures following prior incidents where software developers inadvertently exposed the location data of vehicles driven by politicians, intelligence agents, military personnel, and ordinary drivers. However, officials do not seem to be aware of TPMS vulnerabilities.

The researchers strongly recommend that car manufacturers enact encryption protocols. Unfortunately, there is no open TPMS standard, so the implementation of new security systems might be spotty if automakers respond to the issue.