Wireless kit: The equipment used to hijack a car’s tire sensors included a laptop, a programmable radio transceiver, and a custom circuit board, which, taken together, cost around $1,500.
Credit: University of South Carolina/ Rutgers University
Hackers could “hijack” the wireless pressure sensors built into many cars’ tires, researchers have found. Criminals might then track a vehicle or force its electronic control system to malfunction, the University of South Carolina and Rutgers University researchers say.
The team, which successfully hijacked two popular tire-pressure-monitoring systems (TPMS), will describe the work at the USENIX Security conference in Washington, DC, this week.
The tire-sensor attack poses little immediate risk to drivers. However, in recent months, research groups have identified other security weaknesses in vehicle electronics systems. As automakers add more powerful computers to cars, and connect those computers to critical components, in-car systems will need to be secured against hackers, experts warn.
A TPMS consists of sensors inside a car’s tires that measure pressure, and a central wireless antenna–or an antenna in each wheel in more expensive vehicles. An electric control unit (ECU) picks up the signal, and a warning light on the automobile’s dashboard warns a driver when tire pressure has dropped. As well as calculating pressure changes, the ECU filters out noise from sensors in neighboring cars, and compensates for pressure changes due to temperature. The TREAD Act, which Congress passed in 2008, mandates that all new vehicles produced or sold in the United States after that year are required to have this technology.
Using equipment costing $1,500, including a programmable radio transmitter, a specialized circuit board, and free software, the South Carolina-Rutgers team could pick up a car’s tire pressure readings. The researchers deciphered the communication protocol by experimenting with different parameters of the radio transmission.
The systems tested by the South Carolina-Rutgers team had very little security in place–they mainly relied on the fact that the communications protocol is not widely published. “In doing TPMS this way, [automakers] have left the door open to wireless attackers,” says Travis Taylor, one of the paper’s authors.
The team could eavesdrop on communications and, in some circumstances, alter messages in-transit. That let the team give false readings to a car’s dashboard. They could also track a vehicle’s movements using the unique IDs of the pressure sensors, and even cause a car’s ECU to fail completely.
“Normally, these [attacks would] result in small problems,” Taylor says. “But I see practical danger and damage that can happen from TPMS exploitation.”