Fear not: Wireless car hacking through the TPMS is extremely unlikely

Bob Ulrich
Posted on September 12, 2010

Last month, Rutgers University and the University of South Carolina released a joint study that, in essence, sounds scarier than it really is.

According to the report, which made the rounds over the Web, a vehicle’s automotive electronic systems are vulnerable in vehicles with direct tire pressure monitoring systems. Why? Because they can be “hacked” wirelessly through the tire pressure monitoring system (TPMS) sensor, which sends information via a wireless signal to the engine control unit, or ECU.

In “Security and Privacy Vulnerabilities of In-Car Wireless Networks: A Tire Pressure Monitoring System Case Study,” the researchers say they were able to do just that.

I contacted several TPMS manufacturers to find out what they thought. The folks at Schrader Electronics Ltd. responded with, shall we say, some doubts about the study’s conclusions. They said the study “raised uncertainty about the security of RF-based tire pressure monitoring systems.”

“While we sincerely respect the opinions of the researchers, we also strongly believe their study makes conclusions which are based on limited knowledge, and in some cases, are incorrect.”

Here are Schrader’s responses to questions about the issue.

Q. Can someone “forge” a TPM sensor and “fool” a vehicle system in thinking it has a low tire?

A. Technically this is possible; however, it is difficult, and certainly not as easy as the researchers suggest. First, it would require a significant amount of time, expensive equipment and knowhow to receive and replicate a proper protocol. Currently, the market has over 147 different protocol variations, which would mean an extensive effort would be required before a forger could start to send the correct protocol and vehicle specific ID, all before they could create a system disturbance. Next, the forger would have to stay within 25–30 feet of the vehicle for “extended periods of time” to cause the warning light to illuminate to the point of creating a false sense of security. The practicality of a forger following someone around, with the purpose of transmitting a false low pressure simply to annoy them, is questionable.

Q. Can someone use the TPM ID to track a driver’s location?

A. This is not only impractical but nearly impossible. TPM sensor transmitters are low signal devices subject to FCC Part 15 and are a Class C device. It is true that the signal is unencrypted, but due to the low signal strength, it would be highly unlikely anyone could read the signal from 130 feet away. It would be even more difficult to successfully read the signal when the vehicle is moving past a fixed location. TPM systems operate on multiple frequencies, data speeds, ID lengths, protocol encoding, etc. If someone was successful in decoding one sensor type, there are over 147 different types currently in operation, and this number increases every day. The complexity in the market not only makes it difficult for this scenario but also impractical. Even the author admits this: “Xu said that while it is possible to track someone by their tire IDs, the feasibility of doing so would be quite low. Someone would have to invest money at putting receivers at different locations," she said. “Also, multiple tire manufacturers have different types of sensors, requiring different receivers. Each receiver in this test cost $1,500.”

Q. The researcher suggests, “With such systems, people just try to make things work first, and they don't care about the security or privacy during the first run of design," Xu said. True or false?

A. Schrader has spent more than 15 years designing and developing TPMS systems. Our product has millions of operating miles in every day field conditions. It is completely incorrect that we “just try to make things work first.” The Automotive Electronics industry has some of the most stringent testing requirements of any industry. Consumer safety and security are first and foremost in the development process, and as an industry, we do not take short cuts. Similarly, in 2010, Schrader launched a public and industry TPMS communications campaign effort designed to raise consumer awareness about the safety, fuel savings, and environmental benefit of tire pressure monitoring systems. The centrepiece of the initiative is a comprehensive three-in-one TPMS Web site with three role-based sections: TPMSMadeSimple.com for drivers; TPMSMadeEasy.com to address aftermarket-specific training and service needs; and TPMSMadeRight.com to assist original equipment manufacturers with quality and technology-based decisions.

Q. The researcher suggests, “Such messages could also be forged. An attacker could flood the control unit with low pressure readings that would repeatedly set off the warning light, causing the driver to lose confidence in the sensor readings. An attacker could also send nonsensical messages to the control unit, confusing or possibly even breaking the unit.” True or false?

A. It is impossible to “break” a transmitter or receiver by sending false or “nonsensical” messages to the ECU. In the hypothetical scenario, someone was successful in “confusing” an ECU; these systems are designed to flag such a fault and indicate the system needs to be repaired. This in no way would compromise a consumer’s safety or security.

In conclusion, Schrader said TPM systems, as currently designed, provide a reliable and safe indication of tire pressure.

“There have been millions of vehicles installed with TPMS over the past 15 years. TPMS is a legislated safety system required on 100% of U.S. vehicles beginning in 2008, and similar legislation is being developed in Europe and the Asia-Pacific countries.

“The National Highway Traffic Safety Administration (NHTSA) estimates that 660 fatalities and 33,000 injuries each year are attributable to crashes caused by underinflated tires. TPM systems are protecting drivers and passengers and ensuring safety each and every day.”

So don't worry. Tire pressure monitoring systems are secure. Now, if only the industry could develop an unbreakable and affordable TPMS sensor...

Related Topics: ECU, tire service, TPMS, Underhood service

Bob Ulrich Editor
Comments ( 4 )
  • See all comments
  • Andy Dodd

     | about 2 years ago

    "TPM systems operate on multiple frequencies, data speeds, ID lengths, protocol encoding, etc. If someone was successful in decoding one sensor type, there are over 147 different types currently in operation, and this number increases every day. The complexity in the market not only makes it difficult for this scenario but also impractical." - https://github.com/jboone/gr-tpms - One receiver to rule them all. True, not all TPMS variants are supported, but at this point, that's just entries in a table of a piece of software. Total system cost for a multi-sensor capable receiver that can decode any 315 MHz receiver on the market with, at most, some software changes is <$200. Admittedly if you want to transmit it's a bit more - a HackRF costs $300 for the RF hardware alone. " It is impossible to “break” a transmitter or receiver by sending false or “nonsensical” messages to the ECU." - I don't know how many times I've seen a company say something is "impossible" only to get the system they claimed was "impossible" to attack fall to a buffer overflow vulnerability within months. Given the obvious lack of security effort put into the systems, I wouldn't be surprised if a number of receivers have buffer overflow vulnerabilities. (Potential attack - crash the receiver with an excessively long message, causing the TPMS to not illuminate the light if the tire deflated later. aka denial-of-service attack)

More Stories
The first week of July 2018 will mark the launch of TireHub, the joint distribution project of Goodyear and Bridgestone.
News

TireHub Gets the Green Light From Regulators

TireHub LLC is a go. The joint venture for passenger and light truck tire distribution between Goodyear Tire & Rubber Co. and Bridgestone Americas Inc. will begin serving customers the first week of July.  

Mirco Spiniella (business development director), Angelo Giannangeli and Wayne Foster were among the Traingle associates manning the booth.
News

New Products Further Triangle's Global Momentum

During the last 18 months, Triangle Tyre Co. Ltd. has built international offices in Milan, Italy (for Europe), Dubai (for the Middle East and Africa), Bangkok (for Southeast Asia), the United States, Panama and India.

Bakari Howard is the corporate training supervisor for Falken, and he spearheads the Falken Academy classroom experience.
Photo

Photos: A Look at the New Falken Academy

Falken Tire Corp. has created a new in-person training program for tire dealers, and Modern Tire Dealer Senior Editor Joy Kopcha grabbed a seat in a June 2018 session. The two-day training includes one day in the classroom at Sumitomo Rubber North America Inc. headquarters, and another day on the track and on the trail testing Falken products.

A Jeep, which is equipped with 37-inch Nexen Roadian MTX tires, climbs an obstacle on the Gold Mountain 4x4 trail in the San Bernardino Mountains.
News

Nexen Expands Size Range of Roadian MTX

Nexen Tire America Inc. has added 33-, 35- and 37-inch sizes preferred by many extreme off-road enthusiasts to the Roadian MTX Mud Terrain Xtreme tire lineup.

News

Nokian Is Adding Capacity for Passenger Tires

Nokian Tyres plc is increasing production capacity for passenger car tires at its factory in Nokia, Finland, by approximately 30%. The tire maker will hire 80 new employees and run nine additional shifts each week.  

News

Vogue Promotes $75 Summer Rebate

Vogue Tyre and Rubber Co. is rolling into summer with a consumer rebate for purchases of a set of four Vogue Signature V Black tires.

Be the First to Know

Get the latest news and most popular articles from MTD delivered straight to your inbox. Stay on top of the tire industry and don't miss a thing!