Tire Pressure Monitoring Systems (TPMS) in vehicles from Toyota, Renault, Hyundai, and Mercedes broadcast unencrypted tire data, enabling low-cost passive tracking of cars and drivers.
Researchers from IMDEA Networks and partners have revealed that a 10-week study captured over 6 million signals from 20,000 vehicles using $100 receivers, highlighting severe privacy risks.
Direct TPMS (dTPMS) sensors, embedded in tires, transmit pressure, temperature, battery status, and a unique 24-32 bit ID in cleartext via 315/433 MHz radio at 20 kbps.
Unlike indirect TPMS (iTPMS) used by Volkswagen Group, dTPMS lacks encryption or rotation of IDs, making signals eavesdroppable up to 55 meters, even non-line-of-sight. Transmissions occur every 30-120 seconds while driving or hourly when parked for some brands, creating persistent digital fingerprints.
Attack Chain
Affected Manufacturers
Toyota, Renault, Hyundai, and Mercedes favor battery-powered dTPMS with proprietary protocols like ASK/FSK modulation. Toyota sensors transmit continuously, even when stationary, while Renault activates mainly on motion.
ManufacturerTPMS TypeKey TraitsExample Transmission BehaviorToyotadTPMSContinuous broadcastsHourly when parkedRenaultdTPMSMotion-triggeredLess frequent stationaryHyundaidTPMSUnencrypted IDVulnerable to SDR captureMercedesdTPMSProprietary protocolCleartext pressure data
These systems have been mandatory worldwide since 2007-2012 for safety, but cybersecurity gaps persist despite UN Regulation 155.
The team deployed five RTL-SDR receivers on Raspberry Pi (~$100 each) indoors near roads, covering 10,050 m² over 10 weeks. Using the open-source rtl_433 decoder, they ingested data via MQTT/InfluxDB, filtering 12 verified cars’ IDs via the Autel TS501 tool. Moving vehicle tests at 50 km/h confirmed reliable capture omnidirectionally.
Receiver
Vehicle Identification Techniques
Tire-to-car matching used Jaccard index on 1-minute windows: J(A,B) = |A ∩ B| / |A ∪ B|, clustering co-occurring IDs with transitive merging. This outperformed cross-correlation, accurately identifying all 12 cars despite sparse signals, according to the research.
Coverage improves from 40% (1 ID) to near-100% (4 IDs), vital for mobile tracking.
Attackers can infer routines like work hours (e.g., 8 AM-5 PM arrivals), remote days, lunch breaks, or trips from temporal patterns.
Tire pressure reveals vehicle type/weight (e.g., 230 kPa for sedans) or loads; combined with cameras, it links to owners. Risks include burglary (absence detection), corporate surveillance, or spoofing for hijacks/denials-of-service.
Analysis of anonymized cars showed part-time workers (e.g., Car 1: 8 AM arrivals, university detours), full-timers (Fridays absent), and externals (gaps for travel). Pressure trends tracked inflation (e.g., front tires on Day 13). Scaled networks could surveil cities covertly, bypassing license plate readers.
UN R155 mandates vehicle cybersecurity but omits TPMS; 54 countries have enforced it since 2022. Prior works proposed encryption/timed transmissions, but none were widely adopted. New Pirelli/Bosch Cyber Tyre uses BLE (still eavesdroppable), limited to premium vehicles.
Manufacturers should encrypt IDs, rotate them, or adopt ultra-low-power modes without fixed beacons. Policymakers must update regulations like EU 2019/2144 for TPMS inclusion.
Drivers can use TPMS trigger tools for ID verification, but lack disable options; aftermarket encrypted sensors are unproven. Near-term: Deploy directional antennas or LF shielding, though impractical.
This flaw underscores how safety features become surveillance vectors in connected cars, urging swift protocol overhauls.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Tire Pressure Systems in Toyota, Mercedes, and Other Major Car Brands Enable Silent Vehicle Tracking appeared first on Cyber Security News.
