$100 radio equipment can track cars through their tire sensors

When people consider what might track their movements, they think of smartphone apps, GPS services, or roadside cameras. The tires of a new car rarely enter that equation.

Researchers at IMDEA Networks Institute, together with European partners, found that Tire Pressure Monitoring System (TPMS) sensors inside each wheel broadcast unencrypted wireless signals containing persistent identifiers.

Each sensor sends out a unique ID that does not change, allowing the same car to be recognized again and tracked over time.

Building a low-cost monitoring network

To examine the exposure, the researchers deployed a network of low-cost software-defined radio receivers near roads and parking areas. Each receiver costs about $100.

Over a ten-week period, the system collected more than six million TPMS messages from more than 20,000 vehicles. TPMS sensors are designed for low-power transmission. In testing, the signals were received at distances exceeding 50 meters.

The team also developed methods to associate signals from all four tires of a vehicle, increasing confidence that repeated detections belonged to the same car.

The volume of data allowed repeated observation of the same identifiers at specific locations. When the same set of tire IDs appeared day after day at similar times, it became possible to associate them with recurring vehicle presence. Regular arrival times and routine parking patterns emerged from the signal logs.

The setup did not require access to cellular data, GPS feeds, or license plate cameras. TPMS signals are broadcast automatically whenever the vehicle is in operation. Drivers receive no indication that these transmissions can be intercepted externally.

“Malicious users could deploy passive receivers on large scales and track citizens without their knowledge. The advantage of such a system, over more traditional camera-based ones, is that no direct line-of-sight is needed with the TPMS sensors and spectrum receivers could be placed in covert or hidden locations, making them harder to spot by victims,” the researchers warned.

A network of radio receivers distributed throughout a city could be used to track vehicles and build profiles of their movements over time. In residential neighborhoods, repeated monitoring of household vehicles could reveal daily schedules and periods of absence, creating opportunities for burglary.

TPMS transmissions also include tire pressure readings, which in some cases may provide hints about vehicle type or load conditions. Such information could make certain vehicles more attractive targets. An attacker could follow logistics trucks, transmit counterfeit flat-tire alerts to force unscheduled stops, and use the disruption to target cargo.

A mandatory safety system

TPMS was introduced as a safety feature and is mandatory in a wide range of markets worldwide. Its purpose is to monitor tire pressure and alert drivers to unsafe conditions.

More than 50 countries, including all EU member states and several OECD nations, have adopted vehicle cybersecurity requirements under United Nations Regulation No. 155.

The framework requires automakers to implement certified cybersecurity management systems and address risks to vehicle data, including identity and location information. TPMS is not included in the certification scope.

Although proposals exist to strengthen privacy protections for TPMS sensors, the researchers found no evidence of deployment by manufacturers. They urge legislators, policymakers, and automakers to take steps to improve the privacy and security of the tire pressure monitoring system.