Researchers Hack a Hole In Tyre Tag Security

Scientists from Rutgers University and University of South Carolina are warning that the wireless communications technology found in tyre pressure monitoring systems (TPMS) is susceptible to interception and high-tech forgery known as “spoofing.” The scientists concede that the potential for misuse “may be minimal,” but the potential vulnerability is said to demonstrate a “troubling lack of rigor with secure software development for new automobiles.”

The team of scientists published their findings back in February 2010 in a paper entitled “Security and Privacy Vulnerabilities of In-Car Wireless Networks: A Tire Pressure Monitoring System Case Study” but the news hit the press six months later when that the team announced they would publically present their findings at the Usenix Security Symposium, in Washington D.C. (9 – 13 August). The Rutgers University and University of South Carolina team conducted their research on TPMS-equipped Toyota and Acura brand cars. No names of TPMS or RFID sensor manufacturers have been revealed.

At first the fact that the researchers have discovered that TPMS systems can effectively be “hacked” may not sound like too much of a concern, but for the world’s leading TPMS manufacturers and their OEM customers the notion of any accident being caused by false positive warning lights from TPMS systems they have supplied and the knowledge that their systems apparently can be tampered with in this way must be worrying thoughts. Add in the fact that the US mandated the installation of TPMS in new cars from 2008, following the implementation of the TREAD Act and those same companies must be reading “Security and Privacy Vulnerabilities…” very carefully. On this side of the pond the the European Union will require TPMS to be installed in all new cars by 2012 and most new models already have the option of fitment. So, whether the prospect of tampering is likely or not, the scale of even a potential issue makes it serious enough on its own.

In their paper the team, co-led by Dr Wenyuan Xu, a computer science assistant professor at the University of South Carolina, point out a number of possible malicious uses for such access to TPMS systems. TPMS consist of battery-powered radio frequency identification (RFID) tags on each tyre, which can respond with the air pressure readings of the tyre when wirelessly monitored by an electronic control unit (ECU). The researchers found that each sensor has a unique 32-bit ID and that communication between the tag and the control unit was unencrypted, leaving it open to interception by third parties from as far away as 40 metres.

“If the sensor IDs were captured at roadside tracking points and stored in databases, third parties could infer or prove that the driver has visited potentially sensitive locations such as medical clinics, political meetings, or nightclubs,” the researchers wrote in their paper.

An attacker could also flood the control unit with low pressure readings that would repeatedly set off the warning light, causing the driver to lose confidence in the sensor readings, the researchers contend. Malicious individuals could also send nonsensical messages to the control unit, confusing or possibly even breaking the unit. “We have observed that it was possible to convince the TPMS control unit to display readings that were clearly impossible.” In one case, the researchers had confounded the control unit so badly that it could no longer operate properly and had to be replaced by the dealer.

There was even the suggestion that TPMS could be used for high-tech mugging: “Successfuly injecting a low tyre pressure message to the control unit wirelessly can cause the car computer to display a false alert to the driver, which can create un-trust towards TPMS or life threatening situation when the driver stops its car in a dangerous area,” according to the research team.

Data encryption recommended

The scientists’ criticisms were based on the facts that vehicular wireless technologies are increasingly common and so far generally unencrypted: “Due to its broadcast based nature, wireless communication is vulnerable to eavesdrop and false packet injection…Additionally, car manufacturers are continuing to apply wireless technologies to other aspects of a car. It is, therefore, critically important to analyze the security level and potential vulnerabilities of TPMS communication protocols,” Dr Xu wrote in an earlier presentation made in 2009.

In the final paper, the team concluded that TPMS data security could be improved through the use of encryption: “…Our study revealed several concerns. First, we reverse engineered the protocols using the GNU Radio in conjunction with the Universal Software Radio Peripheral (USRP) and found that (i) the TPMS does not employ any cryptographic mechanisms and (ii) transmits a fixed 32bit sensor ID in each packet, which raises the possibility of tracking vehicles through these identifiers.”

“We have recommended security mechanisms that can alleviate the security and privacy concerns presented without unduly complicating the installation of new tyres. The recommendations include standard reliable software design practices, cryptographic protocols that can provide data confidentiality, and a key management protocol customized for TPMS. We believe that our analysis and recommendations on TPMS can provide guidance towards designing more secure in-car wireless networks,” the paper concluded.

The complete report Security and Privacy Vulnerabilities of In-Car Wireless Networks: A Tire Pressure Monitoring System Case Study can be downloaded as a PDF file here.