Download the audio
Slide 1. Introduction.
The class develops the cybersecurity issues surrounding the TPMS (Tire Pressure Monitoring System), their consequences, and their implications for fleet management.
Slide 2. Cybersecurity Issues with the TPMS.
- The TPMS system.
A study by IMDEA Networks shows that the TPMS-Tire Pressure Monitoring System, which is mandatory for safety reasons in some countries, can be used to identify vehicles from more than 50 meters away without the need for cameras.
The TPMS is a safety device installed in most modern passenger cars that monitors the air pressure in each tire in real time. It works using sensors located inside the tire that send wireless information to the vehicle’s control unit. If it detects a significant loss of pressure, it triggers an alert on the instrument panel to warn the driver. Its purpose is to reduce the risk of accidents, improve vehicle stability, and optimize fuel consumption.
In the European Union, TPMS has been mandatory since November 2014 for all newly registered passenger cars, following an initial phase applied to new models starting in 2012. In the United States, its use has been mandatory since 2007 in light-duty vehicles, following a legislative reform related to road safety. Other countries, such as South Korea and Russia, have also adopted similar requirements. In major developed markets, TPMS has become established as a legal standard in the automotive industry.
- A 20-year-old system that did not take data into account.
Tire pressure sensors, installed in most modern cars for road safety reasons, could become an unexpected tool for mass surveillance. This is the warning from a study led by IMDEA Networks, which highlights a privacy risk that has so far been largely overlooked in the field of automotive cybersecurity.
The study, conducted over ten weeks in collaboration with European partners, demonstrates that TPMS can be used to covertly track vehicles. The researchers managed to collect more than six million messages from over 20,000 cars using low-cost radio receivers.
The study reveals a critical detail: in addition to pressure data, these sensors transmit a unique identification number (ID) associated with each wheel. That signal is broadcast openly, without encryption or authentication. In practice, anyone equipped with a basic radio receiver can pick up that signal and identify the same vehicle at a later time.
Unlike traditional camera-based monitoring systems, which require direct line of sight and adequate lighting conditions, TPMS-based tracking does not require visual contact. Radio signals pass through walls, other vehicles, and physical obstacles, so they can be detected even when the car is in motion or parked indoors.
To assess the actual scope of the risk, the team deployed a network of wireless receivers along roads and in parking areas. Each device cost approximately $100. During the analysis period, the infrastructure collected more than six million messages transmitted by sensors from over 20,000 different vehicles.
The researchers also developed methods to correlate the signals from all four tires on a single car. This improved the accuracy of identifying vehicles that were arriving, departing, or following regular schedules.
Tests demonstrated that signals could be detected from distances exceeding 50 meters, even when sensors were located inside buildings or in partially obscured locations. This technical capability makes covert tracking a realistic and economically feasible option.
The results show that these signals can be used to track vehicles and reconstruct their movement patterns. According to the study, continuous analysis of the identifiers allows for the inference of daily routines, such as work arrival times or travel habits.
They found that, depending on the car brand, signal transmission can vary. For example, Toyota’s TPMS transmits signals continuously, while those from Ford or Nissan do so at regular intervals, and Renault’s only when the wheels are turning.
- The problem is not limited to simply repeatedly identifying the vehicle.
TPMS signals also include pressure readings which, when combined with other data, could make it possible to deduce the type of vehicle or detect variations associated with additional loads. In the case of commercial vehicles, for example, these changes could reveal whether they are carrying heavy cargo, which could lead to more sophisticated forms of surveillance.
TPMS based tracking offers advantages over camera surveillance: it is cheaper, harder to detect, and does not depend on visual conditions. Nor is it necessary to read the license plate. It is sufficient to intercept the fixed identifier emitted by the sensor to recognize the same car in different locations.
Current cybersecurity regulations for automobiles do not specifically address the protection of these sensors. The research team emphasizes that, lacking encryption and authentication mechanisms, TPMS remains vulnerable to so-called “passive surveillance”—that is, the silent capture of signals without interacting with the vehicle.
The study concludes that the problem does not lie in the system’s safety function—which is key to preventing accidents caused by underinflated tires—but rather in the design of its wireless communications. The lack of basic security measures turns a component intended to save lives into a potential tool for mass surveillance.
As vehicles become increasingly connected, even safety-oriented sensors, such as TPMS, should be designed with cybersecurity in mind, since data that appears passive and harmless can become a powerful identifier when collected on a large scale.
- Implications for fleet management.
The main consequence is that our vehicles can be monitored, revealing our routes, customers, schedules, vehicle loads, driving habits, etc.
With this information, the greatest risk is the theft of the goods or valuables transported by our fleet, as it allows criminals to devise a plan with less risk of exposure.
The fleets most at risk of theft are those transporting high-value goods in high demand on the black market, such as smartphones, televisions, computers, tablets, etc., or fleets transporting valuables, cash, works of art, etc. Additionally, in Spain, fleets transporting Iberian hams are often targeted due to their high value.
Another consequence is that they may learn about our customers, routes, schedules, etc., and may attempt to poach our customers by operating in the same geographic area as us.
We recommend implementing the following measures.
- Encryption of communications.
Communications from the TPMS system must be encrypted to ensure security and prevent information from our vehicles from being obtained.
- Hire a company specializing in cybersecurity.
It is recommended to hire a company specializing in automotive cybersecurity to encrypt and secure the TPMS communications of our vehicles.
- Vehicle purchase.
When purchasing a vehicle, cybersecurity must be taken into account, as well as the protective measures included in the TPMS system.
Slide 3. Thank you for your time.
The class has developed the cybersecurity issue with the TPMS system, its consequences, and its implications for fleet management, see you soon.
