Spy My Ride: Somebody may be tracking your vehicle and you don't know about it!

New technologies always come with privacy issues

There is no shortage of articles discussing privacy issues introduced by new technologies. ReadID, passports, chips in currency bills, and other engineering marvels designed for purposes of tracking and monitoring, always come with a bouquet of questions and privacy concerns. On the other hand, technologies not specifically designed for monitoring can sometimes be used for this very purpose and privacy problems introduced by them are often overlooked. Tire Pressure Monitoring Systems (TPMS) is one of those technologies.

What is TPMS?

TPMS lets on-board vehicle computers measure air pressure in the tires. If you purchased a new vehicle in the last 2 years, it is very likely that it came with TPMS. If you live in the Unites States, your next vehicle will contain TPMS whether you like or not -- in April 2005, National Highway Traffic Safety Administration issued a rule requiring automakers to install TPMS sensors in all new passenger cars and trucks starting in September 2007.

The first passenger vehicle to adopt TPMS was the Porshe 959 (1986); it measured tire pressure indirectly, and it did not use radio frequency (RF) to transmit information. Battery-powered wireless TPMS that directly measure air pressure in the tires appeared in the late 90's. Within a decade, the technology substantially advanced and was adopted by many auto-manufacturers. More high-level information about TPMS history can be found on this Wikipedia page

How does TPMS work?

In a typical TPMS, each wheel of the vehicle contains a device (TPMS sensor) - usually attached to the inflation valve - that measures air pressure and, optionally, temperature, vehicle state (moving or not), and the health of the sensor's battery. Each sensor transmits this information (either periodically or upon request) to the on-board computer in the vehicle. To differentiate between its own wheels and wheels of the vehicle in the next lane, each TPMS sensor contains a unique id. The receiver is "paired" to the sensors very much as a Bluetooth device. The vast majority of TPMS sensors transmit information in clear text using one of the assigned radio frequencies (typically, 315MHz or 433MHz).

TPMS transmits data that uniquely identifies your car!

Here is where privacy problems become obvious: Each wheel of the vehicle transmits a unique ID, easily readable using off-the-shelf receiver. Although the transmitter’s power is very low, the signal is still readable from a fair distance using a good directional antenna.

Remember the paper that discussed how Bluetooth radios in cell phones can be used to track their owners? The problem with TPMS is incomparably bigger, because the lifespan of a typical cell phone is around 2 years and you can turn the Bluetooth radio off in most of them. On the contrary, TPMS cannot be turned off. It comes with a built-in battery that lasts 7 to 10 years, and the battery-less TPMS sensors are ready to hit the market in 2010. It does not matter how long you own the vehicle – transportation authorities keep up-to-date information about vehicle ownership.

Why is this a problem?

What problems exactly does the TPMS introduce? If you live in the United States, chances are, you have heard about the “traffic-improving” ideas where transportation authorities looked for the possibility to track all vehicles in nearly real time in order to issue speeding tickets or impose mileage-adjusted taxes. Those ideas caused a flood of privacy debates, but fortunately, it turned out that it was not technically of financially feasible to implement such a system within the next 5-10 years, so the hype quickly died out.

Guess what? With minor limitations, TPMS can be used for the very purpose of tracking your vehicle in real time with no substantial investments! TPMS can also be used to measure the speed of your vehicle. Similarly to highway/freeway speed sensors that measure traffic speed, TPMS readers can be installed in pairs to measure how quick your vehicle goes over a predefined distance. Technically, it is even plausible to use existing speed sensors to read TPMS data!

Note that unlike traffic sensors that measure speed anonymously, TPMS can be used to measure speed of each individual vehicle because car manufacturers know serial numbers of every part in your vehicle, including unique IDs of TPMS sensors.

Now, no article is complete unless it mentions terrorists. Bad news, everyone (terrorists of all levels of badness -- rejoice)! It is now super easy to blow up someone's car. There's no need to fix the explosive to the vehicle. No more wires and buttons. No human factor. A high-school kid with passion for electronics can assemble a device that will trigger the detonator when the right vehicle passes by. (Movie directors, beware - I will go after you if I see this in the next blockbuster).

Aren't we being tracked already?

Yes, many vehicles already come with advanced tracking technologies, like OnStar, but they usually offered as options, so if you do not appreciate the possibility for OnStar support people to eavesdrop on the conversations in your vehicle (yes, they can do that), you can say "no, thank you" to the dealer, or, as the last resort, disable the evil device by cutting its power supply. TPMS cannot be easily disabled: you need to take the tire off the wheel to access the device.

As every other tracking technology, the TPMS was introduced as a safety feature “for your protection”. One might wonder why NTHSA (a government agency) would care so much about a small number of accidents related to under-pressurized tires. And why would it choose to mandate TPMS and not run-flat technology? Are we being tracked already? I hope not.

Can this problem be solved?

Yes, if it gets enough attention. Many chip manufacturers produce TPMS IC sets (for sensors and receivers). If they add functionality to encrypt the communication channel, the problem will go away. Note the similarity to the keyless entry remote controllers. Initially, the remote controllers did not use any encryption, but when carjackers started to sniff communications and replay them to unlock vehicles, a complex rolling code and encryption functionalities were implemented. Similar solutions can be adopted for TPMS.