Hacking Wireless Tire-Pressure Monitoring System

Research paper: "Security and Privacy Vulnerabilities of In-Car Wireless Networks: A Tire Pressure Monitoring System Case Study," by Ishtiaq Rouf, Rob Miller, Hossen Mustafa, Travis Taylor, Sangho Oh, Wenyuan Xu, Marco Gruteser, Wade Trapper, Ivan Seskar:

Abstract: Wireless networks are being integrated into the modern automobile. The security and privacy implications of such in-car networks, however, have are not well understood as their transmissions propagate beyond the confines of a car's body. To understand the risks associated with these wireless systems, this paper presents a privacy and security evaluation of wireless Tire Pressure Monitoring Systems using both laboratory experiments with isolated tire pressure sensor modules and experiments with a complete vehicle system. We show that eavesdropping is easily possible at a distance of roughly 40m from a passing vehicle. Further, reverse-engineering of the underlying protocols revealed static 32 bit identifiers and that messages can be easily triggered remotely, which raises privacy concerns as vehicles can be tracked through these identifiers. Further, current protocols do not employ authentication and vehicle implementations do not perform basic input validation, thereby allowing for remote spoofing of sensor messages. We validated this experimentally by triggering tire pressure warning messages in a moving vehicle from a customized software radio attack platform located in a nearby vehicle. Finally, the paper concludes with a set of recommendations for improving the privacy and security of tire pressure monitoring systems and other forthcoming in-car wireless sensor networks.

Posted on September 16, 2016 at 8:59 AM • 29 Comments

Comments

War GeekSeptember 16, 2016 9:02 AM

Reprise of the Stuxnet hack...one day all the GMs in the U.S. start playing 'Thunderstruck' over and over again because their tires told them too.

AJWMSeptember 16, 2016 11:06 AM

Is this really that big a deal? I'm not too worried about someone finding out my tire pressures as I drive by. (Actually I'm not worried about it all since my car pre-dates mandatory remote tire pressure sensing.)

As for tracking a specific vehicle, that can be done as easily and at longer range via license-plate readers.

John Wayne's Evil TwinSeptember 16, 2016 11:25 AM

@Dom

I'd go with 'Dirty Deeds Done Dirt Cheap'.

Yeah, keep making everything wireless. Idiots.

JimmyWalesSeptember 16, 2016 1:05 PM

Now we can track the pigz, and use crowd-sourcing to pin-point radar-traps. Not everone wants to use wayz, so create an app that interfaces with a sniffer. Send current GPS coordinates of the police, undercover or otherwise, if the car is in motion should be possible for the public to isolate and lock in on the tyre ID's. Pull off jobs that would take the bobbys a while to get to. This would be good for dealers to have such info. No one wants your tyre-pressure, that's not what this is about, we want to know where you are, where you have been, and your 2008 or after car is broadcasting low-jack signals as it moves around. Get enough listeners, and you can show movement of anyone in a recent model car. Might be used by gov't to track Uber drivers and their passengers too. The security implications are vast. Private detectives could use this to nab cheating spouses etc...

ChelloveckSeptember 16, 2016 2:27 PM

@AJWM: Yes, I was going to say that the tracking potential is dwarfed by the fact that every vehicle already has a prominent optically-read identifier. You *could* spy on the tire pressure monitors. You could probably even fingerprint a specific vehicle by characterizing the aggregate of its electronic emissions. Or... You could look at the license plate, which is specifically designed to be a highly visible unique identifier.

Spoofing the sensors might be more of a threat, but it's probably limited to being able to make a "low pressure" light blink on the dash. You *might* be able to trick the computer into cutting engine power and entering "limp home" mode by simulating a blow-out.

JeremySeptember 16, 2016 2:35 PM

As AJWM points out, cars are already individually identifiable via license plates. That is, in fact, pretty much the whole point of having license plates.

It's not clear to me what you can do with wifi listeners that you couldn't do with visual ones.

ChelloveckSeptember 16, 2016 2:36 PM

I should add that this sort of research is valuable, even if I don't think this particular vector is much of a threat. I doubt that all the implications of the wireless tire-pressure system were actually considered before it was implemented. If anything it was probably laughed off as "Eh, who cares if someone can snoop your tire pressure, anyway?" That way of thinking needs to change as cars become more connected (both intentionally and inadvertently). Security needs to be ranked up there along with safety when new features are added.

FredSeptember 16, 2016 3:03 PM

apparently most missed the point about lack of input validation... this isn't just about snooping or spoofing pressures... it might be possible to 'root' the OBC

J. PetersonSeptember 16, 2016 3:11 PM

I could imagine a crooked service station leveraging this. You pull in to get gas and hey! looks like you've got a flat tire needing some work...

Terry ClothSeptember 16, 2016 4:09 PM

The legislation requiring tire-pressure monitoring specifically prohibits sensing low pressure by counting wheel revs. I wondered at the time whether the legislators (or assistants, or donors) wanted to be able to track everyone.

As for tracking by license plate, that requires line-of-sight access to said plate, which is really tough when the target is the second car up, just beyond that SUV, to say nothing of semis.

AJWMSeptember 16, 2016 4:47 PM

Wheel-rev counting only tells you a relative pressure difference, not the absolute pressure. If all four tires are running near-flat at 15 psi, they'll still all turn at the same rate. If the car has a built-in GPS, you could do some calculations with GPS-reported-speed vs wheel-rev calculated speed, but built-in GPS is still a relatively new thing.

Line of sight access to plates can be had from adjacent lanes, or overhead traffic cams. If you're actually following the car in another vehicle, you don't really need to read the tire monitors or the plate. (Oh, no doubt one can come up with movie-plot scenarios where that isn't true ... but then I can come up with a movie-plot scenario where the target vehicle pulls out of sight for a few minutes and quick-changes the tires with four other vehicles.)

neillSeptember 16, 2016 5:28 PM

risk is for driver-less cars e.g. uber, tesla, maybe even amazon truck deliveries in the future

you let the computer make the decision go / nogo

criminals could stop the "autopilot" on a desolate road, get hostages, steal the cargo, ...

even with a manual override 90% of passengers cannot judge if its safe to continue "limping along"

Clive RobinsonSeptember 16, 2016 5:29 PM

@ Chelloveck,

Or... You could look at the license plate, which is specifically designed to be a highly visible unique identifier.

You've forgoton the very important point that when driving humans might be able to glance at a passing license plate but not be able to remember it or several others.

It's a point the various LEA's and IC's rely on when trailing an individual in a car. What they used to do is have a number of cars that tail then "overtake or turn off" etc as another car takes over. Thus the individual does not see one car long enough to "get suspicious".

It would take very little effort say an undergraduate project to design the "head end" to a laptop etc used as a datalogger. It would then take software that could be written by a high school student to look for repeted occurrences of numbers and bleep and display stats. Connect in a GPS and it could use a map program to display where the vehical last came close.

The human eye at a glance would spot patterns of such "repeat visit" cars which would be enough to make them suspicious where they would not otherwise have been alerted.

As I'm known to say on nore than the odd occasion "technology is agnostic to it's use" and these sensors are very definatly a double edged sword. The hard part is working out the "hinky ways" to use it.

Sancho_PSeptember 16, 2016 5:56 PM

@Chelloveck

Right, this vector isn’t a threat, it is a blessing!
I’ll sell (not produce because that’s work) magnetic devices to spoof sensor readings and trigger the alarm.
Customers will be guys eager to play “angel” on the road.
Each device will be only good for 5 successful stops with "contact" chance.
This will mitigate abuse (stalking, mass murder) ... and constantly fill my pockets.
Um, what do you think, if by chance one finds his “true love”, would he pay me a bonus in case of marriage?

Btw., we spoofed license plates since I dunno, now we have to visit the gas station, too. Where are the good old times?

CavsRuleSeptember 16, 2016 5:57 PM

You get 100x the cars with radio waves as you would a visual/photo/license-plate scenario. You only have to be within 120 feet with the cheapest of antenna. It's the ubiquity that makes this worse than plate readers... you get traffic coming and going with no need for line-of-sight, no rain, fog, snow, bike-rack, towing a boat or horse will jack up that read. wifi don't lie at this point an time, you could track what everyone in the city does/goes with relative ease and with far fewer sensors. It is a mass surveillance windfall. Looks like it applies to 2009 or after cars as mandatory, you could track what cars came into your neighborhood during a robbery, or you can track your local congressmen meeting at a corporation, possibly on the take. It would be a nice forensic's tool, even if you have nothing more than time spent in an area, visual or not

War GeekSeptember 17, 2016 7:21 AM

I mentioned GMs because I have a bit of familiarity with their CAN (car area network), enough to know that anything can tell anything else what to do on their systems at least with the code I saw in 2014. So yeah...no input validation is still a thing, and the tire sensor ID can be used to for instance...tell the car to accellerate.

The Thunderstruck reference was a joke about taking over the entertainment system but I think getting tracked is going to be the least of the worries when someone starts playing with your CAN.

hamishSeptember 19, 2016 5:41 AM

Wait until cars add a "safety" feature of controlled deceleration to a standstill on suitably extreme tire pressures, and you have yourselves a killswitch.

LesSeptember 19, 2016 7:28 AM

Could be an interesting denial of service attack on self-driving cars. Broadcast a flat tyre message on a busy road and watch every other car try to pull over immediately. Mayhem ensues.

It's easy enough to write some movie plot scenarios that use this attack (bank robbers blocking traffic behind them), but the most likely scenario is a teenager doing it for entertainment.

SJSeptember 19, 2016 10:31 AM

for further Movie Plot scenarios...

in any sort of conditions which might trigger TractionControl/StabilityControl, a rapid change in Tire Pressure might disable that system. Or might trigger the TC/SC to respond in unexpected ways.

I'm not sure how possible that kind of thing is.

But that kind of scenario scares me.

SoWhatDidYouExpectSeptember 19, 2016 4:51 PM

I recently purchased a used vehicle with tire pressure monitors. Further, I get automatic monthly reports from the vehicle on-line system (did not purchase ONSTAR; it was eventually provided it for free so THEY could get the data).

One tire sensor routinely reports under pressure. When manually checked, the actualy pressure is correct. Dealer wants $120 plus time & other materials to replace the faulty sensor. It is under warrantly milage (36,000) but dealer won't do this as they say the warranty does not cover it.

NO THANKS.

Interesting that while the dealer says there are no effective warranties for this vehicle, the monthly report indicates that a warranty is about to expire. Hmm, I wonder which one that is?

The corporate conglomerate, vehicle brand manufacturer, and dealer have inundated me with marketing material ever since the car was purchased. Mostly, they want service calls to be made yet proclaim none of the suggested work is covered by warranty, and they even want to sell me another car! What? I just bought this one, and no, they did not finance it.

My guess is that all of this is just gross marketing. Spnsored by greed.

War GeekSeptember 20, 2016 9:10 AM

The Hughes and Delphi modules transmitted pretty much all the time. Not sure about the newer Motorola ones, but I bet they do too.

Point being that Onstar is almost certainly on (especially if you have the older version) and sending something about you all the time. Getting the service for 'free' simply means they persuaded you to click some agreement that says you can't sue them for doing things with their data that will infuriate you.

TJSeptember 23, 2016 7:22 AM

HOWTO Hack All the Cars:

1. Dump firmware and RE sensor handling code looking for remote code execution through corruption of stack or heap or use after free.

2. Make hardware that fuzzes sensor input and logs low-occurrence responses. Then try shell-code for the ASIC or CPU.

3. Dump keys for firmware updates and embed your own tools in update ROM and THEN RE and fuzz sensor handler(Charlie Miller method)

NOTE: On cars with a baseband you need a second stage exploit unless it does DMA in to the app processor address space. Car makers get their own IP range making it easy for massive attack campaigns. Good thing most malware people suck at RE and programming.

WORSE CASE:You can't get ROM signing key because it's in a low-attack-surface boot rom and fuzzing either returns nothing or finds something in "real" memory that you can't exploit reliably.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.