Privacy advocates warn that tire pressure monitoring systems – required in nearly every passenger vehicle – can allow hackers to track vehicle locations 24/7, exposing drivers’ travel patterns, habits, daily routines, and more.

The findings stem from a 10-week study by the IMDEA Networks Institute, in which researchers collected more than 6 million Tire Pressure Monitoring System (TPMS) radio signals broadcast from more than 20,000 vehicles of all makes and models.

“Our results show that these tire sensor signals can be used to follow vehicles and learn their movement patterns,” says Domenico Giustiniano, Research Professor at IMDEA Networks Institute.

“This means a network of inexpensive wireless receivers could quietly monitor the patterns of cars in real-world environments. Such information could reveal daily routines, such as work arrival times or travel habits,” Giustiniano said.

To conduct the experiment, researchers said they built a network of low-cost radio receivers – or Software Defined Radio (SDR) receivers, costing about $100 each – and placed them near roads and parking areas across Europe.

Researchers say the hidden privacy risks associated with passive tire-monitoring systems highlight “the need to develop stronger security measures for future vehicle sensor systems.”

How researchers tracked moving vehicles

A mandatory safety feature for all passenger vehicles sold in the US since 2006 and in Europe since 2014, the small sensors – located on each wheel – are designed to send a wireless signal to the car’s computer, Electronic Control Unit (ECU), alerting the driver if a tire is underinflated.

And, even though IMDEA specifically tracked only 12 distinct European car brands for the experiment, the researchers said they observed at least 20,000 cars during their monitoring, meaning that “malicious actors could easily scale their efforts to track thousands of cars” at any given moment.

Toyota, Renault, Hyundai and Mercedes, were just some of the auto manufacturers observed for the study.

The Cybernews community is talking about this. Be a part of the conversation.

One of the main reasons TPMS transmissions are so insecure is that the sensors' radio signals can pass through walls and vehicles, according to the research.

This gives threat actors the ability to easily intercept and capture the sensor’s transmission data using a basic wireless radio receiver, without ever being detected – a tactic known as eavesdropping.

What’s more, any third party located within 40 meters (about 130 feet) of the vehicle could be privy to intercepting the sensor data.

“TPMS-based tracking is cheaper, harder to detect, and more difficult to avoid than camera-based surveillance, and therefore a stronger privacy threat,” the IMDEA research states.

“This allows anyone with affordable equipment, such as a low-cost spectrum receiver and a standard off-the-shelf antenna, to capture and track vehicles throughout time and space.”

– IMDEA Network Institute study, "Can’t Hide Your Stride: Inferring Car Movement Patterns from Passive TPMS Measurements"

The personal data hiding in tire sensor signals

The tire sensors were also observed transmitting a unique ID number via an unencrypted, clear-text wireless signal, allowing a threat actor to identify the same vehicle again simply by using its assigned ID number.

The research noted that these unique identifiers are fixed and do not change over the lifetime of the tire, posing a long-term tracking risk.

“Attackers can use this information to learn, predict, and exploit a person’s movements, points of interest, and behavior patterns,” the Institute said.

By studying the profiles of four workers, the experiment determined whether they were full-time or part-time, their exact in and out times, who worked from home and on what days, when they took lunch, and how long their breaks were.

Based on pattern anomalies, researchers were also able to determine when one worker took a vacation and that another attended a university night class once a week.

"Thieves could learn delivery schedules, estimate cargo weight from pressure readings, or even spoof flat-tire warnings to force a vehicle to stop. Toyota, Renault, Hyundai, and Mercedes all use the vulnerable systems, and there's no standard for fixing it," one user posted about the research on X.

The tire pressure readings can reveal other sensitive information, such as the type of vehicle or whether a car or truck is carrying heavy loads.

Other sensitive driver information potentially extrapolated from TPMS transmissions is said to include “the presence, type, weight, or driving pattern of the driver.”

The Institute is urging manufacturers to develop security measures to harden sensor systems and for lawmakers to enact protections to enforce their implementation.

Headquartered in Madrid, the IMDEA Networks Institute is an international scientific research organization focused on developing future networking technologies, including 5G/6G, IoT, and AI technologies, according to its website.

---

Unlock more exclusive Cybernews content on YouTube.