Research finds tire pressure sensors can be tracked easily with cheap equipment
Tire pressure sensors can unintentionally expose drivers to tracking, according to research from the IMDEA Networks Institute, located in Spain.
A 10-week study collected signals from more than 20,000 vehicles and found a privacy risk, highlighting the need for stronger security measures in future vehicle sensor systems, states a release from the organization.
Tire Pressure Monitoring Systems (TPMS) have been mandatory in many countries since the late 2000s, the release says. It uses small sensors in each wheel to monitor tire pressure and sends wireless signals to the car’s computer to alert the driver if a tire is underinflated.
“However, the researchers found that these tire sensors also send a unique ID number in clear, unencrypted wireless signals, meaning that anyone nearby with a simple radio receiver can capture the signal, and recognize the same car again later,” the release says.
Most vehicle tracking today uses cameras that require clear visibility and a line of sight to a car, the release says. However, TPMS tracking is different because tire sensors automatically send radio signals that pass through walls and vehicles, allowing small hidden wireless receivers to capture them without being seen.
The fixed unique ID allows the same car to be recognized without reading a license plate, the release says.
“This makes TPMS-based tracking cheaper, harder to detect, and more difficult to avoid than camera-based surveillance, and therefore a stronger privacy threat,” the release states.
Researchers built a network of low-cost radio receivers and placed them near roads and parking areas. Each receiver costs about $100. They collected more than 6 million tire sensor messages from more than 20,000 cars.
“As vehicles become increasingly connected, even safety-oriented sensors like TPMS should be designed with security in mind, since data that appears passive and harmless can become a powerful identifier when collected at scale,” said Alessio Scalingi, former PhD student at IMDEA Networks and current assistant professor at UC3M, Madrid.
Current vehicle cybersecurity regulations do not specifically address TPMS security, the release says. It adds that without encryption or authentication, tire sensors are an easy target for passive surveillance.
“TPMS was designed for safety, not security,” said Yago Lizarribar, former PhD student at IMDEA Networks and a current researcher at Armasuisse, Switzerland, in the release. “Our findings show the need for manufacturers and regulators to improve protection in future vehicle sensor systems.”
In recent years, multiple major automakers have joined Global Platform, an organization that is working on a standardized cybersecurity approach for software-defined vehicles.
A 2024 Rockwell Automation Report found that cybersecurity was the top concern for automotive manufacturers.
“Cybersecurity is an even bigger concern for automotive than other industries: respondents in our pan-industry report ranked it lower, at No. 3 on the list of external pressures,” the 2024 report says. “Recent high-profile data breaches and the proliferation of internet connectivity within automotive may have contributed to cybersecurity leaping up from the ninth biggest risk last year to this year’s top spot.”
Image
Photo courtesy of DaveAlan/iStock