Fear not: Wireless car hacking through the TPMS is extremely unlikely

Bob Ulrich
Posted on September 12, 2010

Last month, Rutgers University and the University of South Carolina released a joint study that, in essence, sounds scarier than it really is.

According to the report, which made the rounds over the Web, a vehicle’s automotive electronic systems are vulnerable in vehicles with direct tire pressure monitoring systems. Why? Because they can be “hacked” wirelessly through the tire pressure monitoring system (TPMS) sensor, which sends information via a wireless signal to the engine control unit, or ECU.

In “Security and Privacy Vulnerabilities of In-Car Wireless Networks: A Tire Pressure Monitoring System Case Study,” the researchers say they were able to do just that.

I contacted several TPMS manufacturers to find out what they thought. The folks at Schrader Electronics Ltd. responded with, shall we say, some doubts about the study’s conclusions. They said the study “raised uncertainty about the security of RF-based tire pressure monitoring systems.”

“While we sincerely respect the opinions of the researchers, we also strongly believe their study makes conclusions which are based on limited knowledge, and in some cases, are incorrect.”

Here are Schrader’s responses to questions about the issue.

Q. Can someone “forge” a TPM sensor and “fool” a vehicle system in thinking it has a low tire?

A. Technically this is possible; however, it is difficult, and certainly not as easy as the researchers suggest. First, it would require a significant amount of time, expensive equipment and knowhow to receive and replicate a proper protocol. Currently, the market has over 147 different protocol variations, which would mean an extensive effort would be required before a forger could start to send the correct protocol and vehicle specific ID, all before they could create a system disturbance. Next, the forger would have to stay within 25–30 feet of the vehicle for “extended periods of time” to cause the warning light to illuminate to the point of creating a false sense of security. The practicality of a forger following someone around, with the purpose of transmitting a false low pressure simply to annoy them, is questionable.

Q. Can someone use the TPM ID to track a driver’s location?

A. This is not only impractical but nearly impossible. TPM sensor transmitters are low signal devices subject to FCC Part 15 and are a Class C device. It is true that the signal is unencrypted, but due to the low signal strength, it would be highly unlikely anyone could read the signal from 130 feet away. It would be even more difficult to successfully read the signal when the vehicle is moving past a fixed location. TPM systems operate on multiple frequencies, data speeds, ID lengths, protocol encoding, etc. If someone was successful in decoding one sensor type, there are over 147 different types currently in operation, and this number increases every day. The complexity in the market not only makes it difficult for this scenario but also impractical. Even the author admits this: “Xu said that while it is possible to track someone by their tire IDs, the feasibility of doing so would be quite low. Someone would have to invest money at putting receivers at different locations," she said. “Also, multiple tire manufacturers have different types of sensors, requiring different receivers. Each receiver in this test cost $1,500.”

Q. The researcher suggests, “With such systems, people just try to make things work first, and they don't care about the security or privacy during the first run of design," Xu said. True or false?

A. Schrader has spent more than 15 years designing and developing TPMS systems. Our product has millions of operating miles in every day field conditions. It is completely incorrect that we “just try to make things work first.” The Automotive Electronics industry has some of the most stringent testing requirements of any industry. Consumer safety and security are first and foremost in the development process, and as an industry, we do not take short cuts. Similarly, in 2010, Schrader launched a public and industry TPMS communications campaign effort designed to raise consumer awareness about the safety, fuel savings, and environmental benefit of tire pressure monitoring systems. The centrepiece of the initiative is a comprehensive three-in-one TPMS Web site with three role-based sections: TPMSMadeSimple.com for drivers; TPMSMadeEasy.com to address aftermarket-specific training and service needs; and TPMSMadeRight.com to assist original equipment manufacturers with quality and technology-based decisions.

Q. The researcher suggests, “Such messages could also be forged. An attacker could flood the control unit with low pressure readings that would repeatedly set off the warning light, causing the driver to lose confidence in the sensor readings. An attacker could also send nonsensical messages to the control unit, confusing or possibly even breaking the unit.” True or false?

A. It is impossible to “break” a transmitter or receiver by sending false or “nonsensical” messages to the ECU. In the hypothetical scenario, someone was successful in “confusing” an ECU; these systems are designed to flag such a fault and indicate the system needs to be repaired. This in no way would compromise a consumer’s safety or security.

In conclusion, Schrader said TPM systems, as currently designed, provide a reliable and safe indication of tire pressure.

“There have been millions of vehicles installed with TPMS over the past 15 years. TPMS is a legislated safety system required on 100% of U.S. vehicles beginning in 2008, and similar legislation is being developed in Europe and the Asia-Pacific countries.

“The National Highway Traffic Safety Administration (NHTSA) estimates that 660 fatalities and 33,000 injuries each year are attributable to crashes caused by underinflated tires. TPM systems are protecting drivers and passengers and ensuring safety each and every day.”

So don't worry. Tire pressure monitoring systems are secure. Now, if only the industry could develop an unbreakable and affordable TPMS sensor...

Related Topics: ECU, tire service, TPMS, Underhood service

Bob Ulrich Editor
Comments ( 4 )
  • See all comments
  • Andy Dodd

     | about 3 months ago

    "TPM systems operate on multiple frequencies, data speeds, ID lengths, protocol encoding, etc. If someone was successful in decoding one sensor type, there are over 147 different types currently in operation, and this number increases every day. The complexity in the market not only makes it difficult for this scenario but also impractical." - https://github.com/jboone/gr-tpms - One receiver to rule them all. True, not all TPMS variants are supported, but at this point, that's just entries in a table of a piece of software. Total system cost for a multi-sensor capable receiver that can decode any 315 MHz receiver on the market with, at most, some software changes is <$200. Admittedly if you want to transmit it's a bit more - a HackRF costs $300 for the RF hardware alone. " It is impossible to “break” a transmitter or receiver by sending false or “nonsensical” messages to the ECU." - I don't know how many times I've seen a company say something is "impossible" only to get the system they claimed was "impossible" to attack fall to a buffer overflow vulnerability within months. Given the obvious lack of security effort put into the systems, I wouldn't be surprised if a number of receivers have buffer overflow vulnerabilities. (Potential attack - crash the receiver with an excessively long message, causing the TPMS to not illuminate the light if the tire deflated later. aka denial-of-service attack)

More Stories
Figure 1: Exploded view of a clamp-in style tire pressure sensor. Illustrations courtesy of General Motors Corp.
Article

TPMS: GM/Cadillac Escalade Series: 2007-16

The tire pressure monitoring system (TPMS) on 2007 to 2016 GM/Cadillac Escalade Series system uses the remote control door lock receiver (RCDLR), body control module (BCM), four radio frequency (RF) transmitting pressure sensors, and the serial data circuit to perform the sensor learn mode functions.

News

Vipal Meets Customers in New Orleans

Vipal Rubber Corp. is displaying its recently-released, Alpine-symbol-certified VT220 tread at the North American Tire & Retread Expo in New Orleans.

News

Road To Indy TV Unveils Xbox One App 

After becoming the first American racing series with a dedicated broadcast channel on demand via Apple TV, Amazon Fire and Roku last April, Mazda Road to Indy TV today announced another landmark.

Be the First to Know

Get the latest news and most popular articles from MTD delivered straight to your inbox. Stay on top of the tire industry and don't miss a thing!