Conspiracy theorist ready your tin hats!
I’ve taken to listening to podcast instead of music while running and heard some interesting news that encouraged me to rush back to my computer this morning and do some research.
History: Most of you will remember the Firestone tire recall from 1990 where more than 100 deaths were attributed to tire separation which was due to over inflation of the tire. In response to this, the Clinton Administration passed the TREAD act. One of the key provisions of this act was that all cars sold after Sept 1 2007 have installed TPMS (Tire Pressure Monitoring Systems) which would give the driver near real time information on the status of tire pressure. The information is fed back to your cars ECU (“computer”) which would presumably know the optimum pressure for your factory tires and warn you of over/under inflation.
If you don’t know how these work, these are small devices which are stuck to the inside of your rim with a small RF sensor that is run by a small watch battery (see image at right). The information is not real time, it is sent periodically (60-90 second intervals) to your cars computer. However your computer is always “listening” for input from these devices.
The news around this is that researchers from Rutgers University have published a press release that they are going to discuss the dangers of spoofing these devices in order to gain access to the computer possibly able to cause issues for the driver or the vehicles control systems. The crux of the issue is that these devices have short (relatively) 32 bit IDs with no encryption between the tag (sensor) and the control unit. According to the researchers the protocol is also quite simple and easy to spoof. They will (presumably) demonstrate this week how they can send/receive signals from these units up to 40 meters away.
So let’s put a privacy spin on this (ready your tin hats!).
- The sensors have a broadcast range of roughly 40 meters
- The IDs are easily spoof able (and easily identified)
- There isn’t any encryption
- The protocol is simple
- Broadcasts occur in timed increments (60-90 seconds)
So do you want to follow me? You could. Building a single sensor that would read the ID from one (or all) of my TPMS would be quite simple. Place it in a location where I’m going 1.5 MPH or less (rough math using 40 meter coverage and a 60 second window) and you have a reasonable chance of being able to authenticate my presence, or at least my car’s presence, at that location. Granted you or I have a small issue here, the ability to do this on any scale that would be effective. If you wanted to cover a large area or a large number of people, this would be quite an undertaking. But if you are a government and control the local infrastructure of a municipality, you have quite an opportunity here.
- Hackers Deflate Auto Tire-Pressure Sensors (informationweek.com)
- Bad News For The Paranoid: TPMS Sensors Are A Gateway For Hackers (ridelust.com)
- Wireless tire pressure monitoring systems in cars may compromise privacy, pose security threat (eurekalert.org)