Fear not: Wireless car hacking through the TPMS is extremely unlikely

Bob Ulrich
Posted on September 12, 2010

Last month, Rutgers University and the University of South Carolina released a joint study that, in essence, sounds scarier than it really is.

According to the report, which made the rounds over the Web, a vehicle’s automotive electronic systems are vulnerable in vehicles with direct tire pressure monitoring systems. Why? Because they can be “hacked” wirelessly through the tire pressure monitoring system (TPMS) sensor, which sends information via a wireless signal to the engine control unit, or ECU.

In “Security and Privacy Vulnerabilities of In-Car Wireless Networks: A Tire Pressure Monitoring System Case Study,” the researchers say they were able to do just that.

I contacted several TPMS manufacturers to find out what they thought. The folks at Schrader Electronics Ltd. responded with, shall we say, some doubts about the study’s conclusions. They said the study “raised uncertainty about the security of RF-based tire pressure monitoring systems.”

“While we sincerely respect the opinions of the researchers, we also strongly believe their study makes conclusions which are based on limited knowledge, and in some cases, are incorrect.”

Here are Schrader’s responses to questions about the issue.

Q. Can someone “forge” a TPM sensor and “fool” a vehicle system in thinking it has a low tire?

A. Technically this is possible; however, it is difficult, and certainly not as easy as the researchers suggest. First, it would require a significant amount of time, expensive equipment and knowhow to receive and replicate a proper protocol. Currently, the market has over 147 different protocol variations, which would mean an extensive effort would be required before a forger could start to send the correct protocol and vehicle specific ID, all before they could create a system disturbance. Next, the forger would have to stay within 25–30 feet of the vehicle for “extended periods of time” to cause the warning light to illuminate to the point of creating a false sense of security. The practicality of a forger following someone around, with the purpose of transmitting a false low pressure simply to annoy them, is questionable.

Q. Can someone use the TPM ID to track a driver’s location?

A. This is not only impractical but nearly impossible. TPM sensor transmitters are low signal devices subject to FCC Part 15 and are a Class C device. It is true that the signal is unencrypted, but due to the low signal strength, it would be highly unlikely anyone could read the signal from 130 feet away. It would be even more difficult to successfully read the signal when the vehicle is moving past a fixed location. TPM systems operate on multiple frequencies, data speeds, ID lengths, protocol encoding, etc. If someone was successful in decoding one sensor type, there are over 147 different types currently in operation, and this number increases every day. The complexity in the market not only makes it difficult for this scenario but also impractical. Even the author admits this: “Xu said that while it is possible to track someone by their tire IDs, the feasibility of doing so would be quite low. Someone would have to invest money at putting receivers at different locations," she said. “Also, multiple tire manufacturers have different types of sensors, requiring different receivers. Each receiver in this test cost $1,500.”

Q. The researcher suggests, “With such systems, people just try to make things work first, and they don't care about the security or privacy during the first run of design," Xu said. True or false?

A. Schrader has spent more than 15 years designing and developing TPMS systems. Our product has millions of operating miles in every day field conditions. It is completely incorrect that we “just try to make things work first.” The Automotive Electronics industry has some of the most stringent testing requirements of any industry. Consumer safety and security are first and foremost in the development process, and as an industry, we do not take short cuts. Similarly, in 2010, Schrader launched a public and industry TPMS communications campaign effort designed to raise consumer awareness about the safety, fuel savings, and environmental benefit of tire pressure monitoring systems. The centrepiece of the initiative is a comprehensive three-in-one TPMS Web site with three role-based sections: TPMSMadeSimple.com for drivers; TPMSMadeEasy.com to address aftermarket-specific training and service needs; and TPMSMadeRight.com to assist original equipment manufacturers with quality and technology-based decisions.

Q. The researcher suggests, “Such messages could also be forged. An attacker could flood the control unit with low pressure readings that would repeatedly set off the warning light, causing the driver to lose confidence in the sensor readings. An attacker could also send nonsensical messages to the control unit, confusing or possibly even breaking the unit.” True or false?

A. It is impossible to “break” a transmitter or receiver by sending false or “nonsensical” messages to the ECU. In the hypothetical scenario, someone was successful in “confusing” an ECU; these systems are designed to flag such a fault and indicate the system needs to be repaired. This in no way would compromise a consumer’s safety or security.

In conclusion, Schrader said TPM systems, as currently designed, provide a reliable and safe indication of tire pressure.

“There have been millions of vehicles installed with TPMS over the past 15 years. TPMS is a legislated safety system required on 100% of U.S. vehicles beginning in 2008, and similar legislation is being developed in Europe and the Asia-Pacific countries.

“The National Highway Traffic Safety Administration (NHTSA) estimates that 660 fatalities and 33,000 injuries each year are attributable to crashes caused by underinflated tires. TPM systems are protecting drivers and passengers and ensuring safety each and every day.”

So don't worry. Tire pressure monitoring systems are secure. Now, if only the industry could develop an unbreakable and affordable TPMS sensor...

Related Topics: ECU, tire service, TPMS, Underhood service

Bob Ulrich Editor
Comments ( 4 )
  • See all comments
  • Andy Dodd

     | about 12 months ago

    "TPM systems operate on multiple frequencies, data speeds, ID lengths, protocol encoding, etc. If someone was successful in decoding one sensor type, there are over 147 different types currently in operation, and this number increases every day. The complexity in the market not only makes it difficult for this scenario but also impractical." - https://github.com/jboone/gr-tpms - One receiver to rule them all. True, not all TPMS variants are supported, but at this point, that's just entries in a table of a piece of software. Total system cost for a multi-sensor capable receiver that can decode any 315 MHz receiver on the market with, at most, some software changes is <$200. Admittedly if you want to transmit it's a bit more - a HackRF costs $300 for the RF hardware alone. " It is impossible to “break” a transmitter or receiver by sending false or “nonsensical” messages to the ECU." - I don't know how many times I've seen a company say something is "impossible" only to get the system they claimed was "impossible" to attack fall to a buffer overflow vulnerability within months. Given the obvious lack of security effort put into the systems, I wouldn't be surprised if a number of receivers have buffer overflow vulnerabilities. (Potential attack - crash the receiver with an excessively long message, causing the TPMS to not illuminate the light if the tire deflated later. aka denial-of-service attack)

More Stories
News

Yokohama to Increase OTR Tire Production

Yokohama Rubber Co. Ltd. plans to spend $45.5 million to expand production of off-the-road tires at an Alliance Tire Group plant in India. By the end of 2019 the company says production capacity at the site will increase more than 60%, to 91,700 tons.  

Matt Leeper from Falken Tire, left, presented a grand prize motorcycle to Ron Barlow from FTC Enterprises during the final dinner of the K&M Tire 2018 Dealer Conference.
News

K&M Tire Dealers Learn Sales, Customer Service and Efficiency Tips

K&M Tire Inc. founder Ken Langhals likes to remind his 600-plus employees that a customer’s tire order one day doesn’t guarantee another order the next. And that means K&M’s annual dealer conference is an opportunity to provide dealers with help and extra services that set K&M apart from other wholesalers.

Article

An Insight into Tires and Their Problems in Europe

The National Tyre Distributors Association (NTDA) recently held its annual conference, which, although traditionally staged in the UK, represents the ongoing current issues in the tire industry throughout Europe (at least until the Brexit negotiations are completed) and attracts an extensive and diverse range of delegates.

The retail business may be the foundation, but Point S Battle Mountain Tire and Auto Service wants to expand its commercial footprint. That means hauling tires to its customers’ locations or work sites is a regular task.
Article

From Miner to Tire Dealer

Walt Holland comes from a family of miners. Growing up he worked in the uranium mine his father owned, and he went on to spend 30 years working in Nevada’s gold, silver and copper mines. He eventually became a mine operations manager for Newmont Mining Corp., one of the largest mining companies in the U.S.

SMPS's latest release of BWD parts includes fuel vapor canisters and vehicle speed sensors.
Product

SMP Expands BWD Line

Standard Motor Products Inc. (SMP) has added 324 part numbers for domestic and import vehicles to its BWD engine management line.

Chicago Pneumatic says its new CP825C series of composite air ratchets will allow operators to do the job quickly in any light or heavy vehicles general mechanic applications.
Product

Chicago Pneumatic Upgrades Composite Air Ratchets

Chicago Pneumatic Tool Co.’s new CP825C series composite air ratchets are designed to offer high accessibility to tight spaces such as motor engine compartments as well as high speed for fast rundown (280 RPM).

News

Hotwire Will Return After MLK Holiday

Due to the Martin Luther King Jr. holiday, Modern Tire Dealer will not publish Hotwire on Monday. Look for the next edition on Tuesday, Jan. 16.

Be the First to Know

Get the latest news and most popular articles from MTD delivered straight to your inbox. Stay on top of the tire industry and don't miss a thing!