Why Your Car’s Tire Pressure Sensors Are a Privacy Nightmare

TLDR: Modern Tire Pressure Monitoring Systems (TPMS) transmit data in cleartext without any form of authentication or encryption, allowing anyone with a cheap SDR to track vehicle movements and spoof sensor data. This research demonstrates how to passively monitor unique sensor IDs to build long-term behavioral profiles and actively inject false pressure warnings to trigger dashboard alerts. Pentesters and researchers can use the provided tools to audit these systems and understand the significant privacy and safety risks inherent in current automotive wireless protocols.

Automotive security often focuses on the CAN bus or infotainment systems, but the wireless sensors sitting inside your tires are a massive, overlooked attack surface. Every time you drive, your vehicle’s Tire Pressure Monitoring System (TPMS) broadcasts telemetry data to the Electronic Control Unit (ECU). This communication happens over the air, usually in the 433 MHz or 915 MHz bands, and it is almost universally unencrypted and unauthenticated. If you think your car is only talking to its own sensors, you are mistaken. Any device within range can listen to these broadcasts, and with a bit of effort, any device can talk back.

The Mechanics of Passive Surveillance

The vulnerability here is fundamental: the protocol assumes that any signal received on the correct frequency and matching the expected modulation is a legitimate sensor. Because these sensors are battery-powered, they are designed to be extremely efficient. They typically wake up when the vehicle starts moving and broadcast their unique 32-bit sensor ID, pressure, and temperature data every 30 to 60 seconds.

Tracking these vehicles is trivial. By using an RTL-SDR and a simple antenna, you can capture these packets from hundreds of meters away. Even in non-line-of-sight (NLOS) conditions, such as through walls or around corners, the signal is robust enough to be picked up. Once you have a database of these unique IDs, you can correlate them with specific vehicles. Over time, you can build a comprehensive schedule of when a vehicle arrives, when it departs, and how often it is used. This is not theoretical; it is a direct privacy violation that requires nothing more than a $30 radio and some basic signal processing.

Active Spoofing and Injection

Passive monitoring is just the start. Because the ECU does not verify the source of the TPMS packets, you can inject your own. If you know the modulation and the packet structure—which is often proprietary but easily reverse-engineered—you can craft a malicious packet that reports a "low tire pressure" state.

The process for reverse-engineering these signals is straightforward for anyone familiar with digital signal processing. You capture the raw IQ data, identify the modulation (usually 2-FSK or ASK), and decode the bitstream. Once you have the structure, you can use a device with transmit capabilities, like a USRP Mini or even a Flipper Zero, to broadcast your spoofed packets.

When the ECU receives a packet with a valid sensor ID but a "low pressure" flag, it immediately triggers a warning on the dashboard. In many vehicles, this is not just a light; it is an annoying, persistent alert that can distract the driver or force them to pull over.

# Example of a simplified packet structure for a Renault sensor
# Preamble: 0xa, 0x9
# Flags: 1 byte
# Pressure: 2 bytes
# Temperature: 1 byte
# ID: 3 bytes
# CRC: 1 byte (CRC-8)

Real-World Impact for Pentesters

If you are performing a red team engagement or a physical security assessment, this is a powerful tool for tracking assets. You don't need to be near the vehicle to know it has arrived at a specific location. You can set up a sensor array at the perimeter of a facility and log every vehicle that enters or exits based on its unique TPMS signature.

The impact of active spoofing is equally significant. During a test, you could simulate a fleet-wide tire failure, causing operational disruption for a logistics company or creating a chaotic environment in a controlled setting. The lack of OWASP IoT security controls—specifically the lack of secure communication and authentication—means that these systems are essentially wide open to anyone who knows how to handle a radio.

The Defensive Reality

Defenders are in a tough spot here. Because these sensors are already deployed in millions of vehicles, there is no easy "patch." The protocol itself is the problem. Manufacturers need to move toward rolling IDs and encrypted communication, similar to what is used in modern key fobs. Until that happens, the only real defense is to recognize that the TPMS channel is untrusted. If you are a manufacturer, stop assuming that the airwaves are a secure perimeter. If you are a researcher, start looking at the other wireless protocols in your vehicle—if the TPMS is this insecure, what else is?

The tools to replicate this research are available now. You can find the analysis scripts and the spoofing utilities in the tpms-analysis and tpms-tools repositories. Use them to audit the systems you work with, but keep in mind the legal and ethical boundaries of testing wireless signals in public spaces. The next time you see a tire pressure warning on your dashboard, remember that it might not be your tire that is failing—it might be someone else’s radio that is succeeding.