- Researchers found TPMS signals can expose vehicle locations.
- Each sensor broadcasts a fixed unique ID without encryption.
- Low-cost receivers captured millions of tire messages.
Cars have never been more connected than they are now. That constant stream of data has made them safer and more convenient, but it has also opened a few doors most owners never think about. Among them is how surprisingly easy it can be to tap into a modern vehicle. Researchers now say it is even possible to track a car using its tire pressure monitoring system, or TPMS.
TPMS has become a quiet staple of everyday driving, keeping watch over tire pressures and warning you when one starts to sag. Handy, yes. Invisible, mostly. What many drivers do not realize is that these sensors transmit unencrypted radio signals, and those signals can be picked up with nothing more exotic than a basic radio receiver.
Read: Michelin’s New AI Tire Tech Might Make TPMS Feel Like Ancient History
In many countries, TPMS has been mandatory since the late 2000s as a road-safety requirement. In other words, most modern cars on the road today are broadcasting whether their owners know it or not.
Researchers at IMDEA Networks Institute found that each TPMS unit broadcasts a fixed, unique ID. In other words, every car is quietly tagging itself, making it possible for anyone listening to identify a specific vehicle and track where it goes.
Unlike camera-based systems that rely on a clear line-of-sight, these radio signals slip through walls and other obstacles. Small, hidden receivers can capture them without attracting attention, which makes this type of tracking far less obvious and much harder to sidestep.
To see how practical this would be in the real world, the team set up a network of low-cost radio receivers near roads and parking areas, with each unit costing about $100. Over a ten-week period, working alongside other European research partners, they gathered more than 6 million tire-sensor messages from over 20,000 vehicles.
In addition, researchers matched signals from the four tires of a car, allowing them to accurately track vehicles arriving, leaving, and following regular schedules throughout the test area. They even found it was possible to capture TPMS signals from moving cars at distances of over 50 meters (164 feet), regardless of whether the vehicles were in buildings or other locations.
Hackers could also intercept the tire pressure data itself. From that, they might infer what type of vehicle it is and even whether it is hauling a heavier load than usual.
In theory, the signals sent by TPMS devices could be used by car manufacturers themselves to track owners’ movements, or by criminals who want to monitor a car’s patterns before attempting to steal it.
What Needs To Be Done?
“Our results show that these tire sensor signals can be used to follow vehicles and learn their movement patterns,” research professor at IMDEA Networks Institute, Domenico Giustiniano said. “This means a network of inexpensive wireless receivers could quietly monitor the patterns of cars in real-world environments. Such information could reveal daily routines, such as work arrival times or travel habits.”
The researchers also note that current vehicle cybersecurity rules do not specifically cover TPMS vulnerabilities. As a result, they are calling on policymakers and automakers to tighten security requirements so that safety hardware does not double as an unintended tracking tool.
“TPMS was designed for safety, not security,” said Dr. Yago Lizarribar, who worked on the research at IMDEA Networks and now serves as a researcher at Armasuisse in Switzerland. “Our findings show the need for manufacturers and regulators to improve protection in future vehicle sensor systems.”
