FIGURE 6-2. The TVRX daughterboard
Data from the USRP was analyzed using GNU Radio, an open source software develop-
ment kit that can be used to process the captured signals.
As the research team analyzed the data transmitted by the sensors, they guessed that a
technique known as Manchester encoding was being applied. They were able to confirm this
after applying the algorithm to decode Manchester-encoded data, which resulted in a stream
of information containing a known sensor ID. This is an important technique in the art of
reversing a given architecture: looking for a known tuple of data (Sensor ID, in this case) and
using it to see if the proper decoding algorithm has been applied. Although Manchester
encoding is not a form of encryption, this technique of looking for a known tuple to see if the
analysis is on the right track is similar to the idea of a known-plaintext attack in the field of
cryptography, in which an attacker has a copy of both the encrypted text and the plain text, and
is able to use this information to infer weaknesses or secrecy embedded in the algorithm.
Next, the research team manipulated the sensors by heating the tires with hot guns and
cooling them with refrigerators. Then they looked at which bits within the communication
changed. They also adjusted the air pressure in the tires. This is another unique and critical
aspect to remember when dealing with IoT devices: in the world of software, the idea of influ-
encing the environment around a physical object is not applicable, but it is definitely within
scope of the methodology of testing IoT devices that contain sensors that collect information
about the physical world. Using this technique, the researchers were further able to decode
the stream of communication from the sensors to pinpoint which bits referred to temperature
data.
Eavesdropping and Privacy Implications
The data transmitted by the tire sensors is not encrypted, allowing others in the vicinity of a
car equipped with a TPMS to capture the information. The researchers found they were able
to eavesdrop on sensor data from up to 40 meters away in cases in which the target car was
stationary.
THE TIRE PRESSURE MONITORING SYSTEM (TPMS) 161