ers from the University of South Carolina performed an in-depth analysis of TPMSs and
found security design flaws that can be exploited. In this section, we will take a look at their
research to understand these systems and what issues were uncovered. Since a TPMS relies
on very basic wireless communication mechanisms, this is the appropriate first topic to cover
as we learn about the security of connected cars.
The TPMS measures the tire pressure inside all of the tires on a vehicle and alerts the
driver of loss of tire pressure. Two different types of TPMS exist: direct and indirect measure-
ment systems. The direct measurement system uses battery-powered pressure sensors inside
each tire to monitor the pressure. Since it is difficult to place wire around rotating tires, radio
frequency (RF) transmitters are used instead. The sensors communicate using RF and send
data to a receiving tire pressure control unit, which collects information from all the tire sen-
sors. When a sensor reports that a tire is running low on air pressure, the control unit sends
information using the controller area network (CAN) to trigger a warning message on the
car’s dashboard. Indirect measurement systems, on the other hand, infer pressure differences
by leveraging the antilock braking system (ABS) sensors. ABS can help detect when a tire is
rotating faster than the other tires, which is the case when a tire loses pressure. However, this
method is less accurate and cannot account for cases when all the tires lose pressure. As of
2008, all new cars in the US are required to employ a direct TPMS.
Cars are full of electronic control units (ECUs), which use the CAN specifications to com-
municate. ECUs are mini computers that control various aspects of the car. All ECUs in a car
are connected to two wires running along the body of the car (CAN-High and CAN-Low).
ECUs transmit information by raising and dropping voltages on the wires. Since all ECUs are
connected to the same wires, data transmitted by an ECU is available to all other ECUs on the
network. The collection of ECUs communicating using the CAN standard is known as the
CAN bus.
The TPMS architecture consists of a set of components. The TPMS sensors fitted onto the
tires periodically broadcast the pressure and temperature measurements. The sensors activate
when the speed of the car is higher than 40 km/h or when it receives an RF activational signal
that is used during installation to get the sensors to transmit their IDs. An RF receiving unit
that is part of the TPMS system remembers the sensor IDs so that it can filter out communi-
cation from sensors of nearby cars. There is a TPMS ECU installed in the car as well, consist-
ing of either one or four separate antennas that transmit the data from the sensors to the RF
receiving unit. The low-pressure warning light is also part of the TPMS. As the sensors rou-
tinely broadcast the pressure and temperature measurements, the receiving unit collects the
packets and verifies that they belong to the car (based on the ID). If any of the sensors trans-
mits a reading that indicates low tire pressure, the system then displays a warning light.
Reversing TPMS Communication
The researchers from the University of South Carolina attempted to analyze the proprietary
protocol used between the sensors and the receiving unit. As we will see in this section, their
THE TIRE PRESSURE MONITORING SYSTEM (TPMS) 159