Tire tags reveal driver whereabouts

Automobile tire pressure monitoring systems show little concern for security

Researchers from Rutgers University and University of South Carolina have found that wireless communications between new cars and their tires can be intercepted or even forged.

While the potential for misuse may be minimal, this vulnerability points to a troubling lack of rigor with secure software development for new automobiles, said Wenyuan Xu, a computer science assistant professor at the University of South Carolina, who was a co-lead on the study.

"If no one mentions [such flaws], then they won't bother with security," Xu said.

The researchers will present their findings at the Usenix Security Symposium, being held this week in Washington D.C.

The system that the researchers tested monitors the air pressure of each tire on an automobile. The U.S. has required such systems in new automobiles since 2008, thanks to legislation passed after controversy erupted over possible defective Firestone tires in 2000. The European Union will require new automobiles to have similar monitoring systems in place by 2012.

As computerized systems are being increasingly used in automobiles, critics such as Xu are asking what safeguards system makers are putting in place to prevent vulnerabilities in such systems, knowing that bugs and security holes invariably sneak into all software.

Toyota came under the scrutiny of U.S. law makers earlier this year, who asked the car maker if software bugs could be a reason for the unattended acceleration of its vehicles, a charge Toyota officials denied.

With such systems, "people just try to make things work first, and they don't care about the security or privacy during the first run of design," Xu said.

The tire pressure monitoring systems (TPMS) consist of battery-powered radio frequency identification (RFID) tags on each tire, which can respond with the air pressure readings of the tire when wirelessly queried by an electronic control unit (ECU).

The researchers had found that each sensor has a unique 32-bit ID and that communication between the tag and the control unit was unencrypted, meaning it could be intercepted by third parties from as far away as 40 meters.

"If the sensor IDs were captured at roadside tracking points and stored in databases, third parties could infer or prove that the driver has visited potentially sensitive locations such as medical clinics, political meetings, or nightclubs," the researchers write, in a paper that accompanies the presentation.

Such messages could also be forged. An attacker could flood the control unit with low pressure readings that would repeatedly set off the warning light, causing the driver to lose confidence in the sensor readings, the researchers contend. An attacker could also send nonsensical messages to the control unit, confusing or possibly even breaking the unit.

"We have observed that it was possible to convince the TPMS control unit to display readings that were clearly impossible," the researchers write. In one case, the researchers had confounded the control unit so badly that it could no longer operate properly, even after rebooting, and had to be replaced by the dealer.

Xu said that while it is possible to track someone by their tire IDs, the feasibility of doing so would be quite low. "Someone would have to invest money at putting receivers at different locations," she said. Also multiple tire manufacturers have different types of sensors, requiring different receivers. Each receiver in this test cost US$1,500.

Nonetheless, component manufacturers could take some easy steps to strengthen the security of these systems, the researchers conclude. Communications could be encrypted. Also the ECU should filter incoming messages so that any with unexpected payloads should be discarded, so they do not corrupt the system.

"The consumer may be willing to pay few dollars to make their autos secure," Xu said.

Joab Jackson covers enterprise software and general technology breaking news for The IDG News Service. Follow Joab on Twitter at @Joab_Jackson. Joab's e-mail address is Joab_Jackson@idg.com

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Joab Jackson

IDG News Service
Topics: University of South Carolina, Rutgers University, Automotive, security, industry verticals, privacy

Comments

ak

1

This is a red herring. They can track you by your cell phone, gps unit, or even with cameras via your license plate (cheaper than rfid btw). The only real danger would be some sort of code injection attack, which was clearly not demonstrated here.

Jose

2

Th previous comment from "ak" misses the point. The tire preasure system was used as an example to demonstrate the attitude and common practices used in the developmnt of such systems. If developers don't start thinking about security they will eventually expose users to significant vulnerabilities. Also note that although no code was injected they were able to cause eratic behavior in the devices and in one case even caused it to fail.

Doug

3

This is pretty bogus. No one is more paranoid about the security of their electronics systems then the automotive industry and these researchers essentially prove that. They demonstrated that they were unable to inject false data. Of course they were able to interfere with it, any cheapo jammer off of eBay can interfere with any wireless systems. Yawn.

Auto manufactures have to scrimp for every penny of cost savings in a vehicle and adding several dollars worth of encryption where it's not needed is ridiculous. They have it where it counts though. Try to hack into the ECU and inject false data that is processed by the ECU and see how far you get.

Pencilneck

4

Lame... LAME. This is a real non story. As noted, there are easier and cheaper ways to track cars. Add to that, some companies are doing away with the sensors mounted on the wheels and instead will use the ABS system to act as a TPMS. The ABS already knows wheel speed, if a tire is going flat, then that one wheel will report a very different wheel speed from the others, thus the ABS will request a TPMS light on the dash. It is only a matter of time before all manufactures do it this way because it is much cheaper since you get rid of 4 transmitters and 1 receiver.

A downside of using the ABS system as the TPMS... the tires have to be matching. If you have tires that are worn 60% and bust one, and then replace only that one tire, 1 new tire with 3 other worn tires can make the ABS think there is a low tire. All tires may have to be replaced unless some sort of adaption is allowed.

psuedonymous

5

@Doug
They were not merely able to 'interfere' with a system. They were able to IRREVOCABLY disable an in-car system simply by feeding it tyre sensor data. That's one hell of a vulnerability, and the obvious start of a buffer overrun exploit.

Redbeard

6

@Doug

You mean like these guys (http://www.autosec.org/publications.html) did?

Jeffry Suekins

7

No one is more paranoid about the security of their electronics systems then the automotive industry and these researchers essentially prove that.
<a href="http://www.maxigripstore.com/">Maxigrip Tire Studs</a>

Comments are now closed.

Latest News Articles

Most Popular Articles

Follow Us

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Resources

Best Deals on GoodGearGuide

Compare & Save

Deals powered by WhistleOut
Use WhistleOut's technology to compare:
Mobile phone plans & deals
Mobile phone models
Mobile phone carriers
Broadband plans & deals
Broadband providers
Deals powered by WhistleOut
WhistleOut

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?