Many modern vehicles (2008 or newer) have a Tire Pressure Monitoring System (TPMS) that alerts the driver when the tire pressure is getting low. In fact, it’s required for all new vehicles in the US following legislation that was prompted by the 2000 Firestone tire issue. For my car, that means this little orange light comes on to tell me if a tire reports that it is low on air pressure. Right now, the light says the tire is low because I had to get a new tire after a flat and it requires a tool only the dealer has to re-sync it. Researchers have now proven that it is possible to track a car and disable a component of the electronic system through a car’s TPMS.
Each tire has a unique 32-bit code and it can be queried by the car’s electronic system. The information is broadcast wirelessly from each tire’s RFID using an unencrypted signal which travels up to 130 feet. To researchers from Rutgers University and University of South Carolina, this meant an attack vector. Somebody could essentially track a car’s location by querying the broadcast ID at intersections, toll booths, or specific locations (seedy clubs, political rallies, medical clinics, etc.) to watch where one went or prove that they were there.
The other problem with this approach is that, not only could the messages be intercepted, they could also be forged. An attacker could send the control unit impossible messages sending the system into bugs or even breaking it. The researchers were able to confuse one control unit so much it wouldn’t operate, even after rebooting, and it had to be replaced. This raises concerns, as was verified by the researchers, that a car driving next to you at 65 mph could essentially launch this attack on your computer’s electronics and disable them while they are moving or reach other parts of the electronics system like the self-parallel parking of some luxury vehicles.
Fortunately the pay off is low and the sensors required to read and interact with the TPMS are expensive at $1,500 each. The messages are also only polled at 60-90 second intervals, reducing or making the malicious task tediously long. Despite these natural limitations to exploiting this, it is an important eye opener to the auto industry that security and input validation needs to be run on all messages as more things become wirelessly networked in our cars traveling 70MPH. This research and its concluding paper was presented at the USENIX conference on Thursday.