From the viewpoint of privacy, one risk is that a tracking system deployed alongside roads
could be used to track particular cars around the city, capturing drivers’ whereabouts based on
their sensor IDs. The feasibility of this is low since sensors only transmit data every 60 sec-
onds. However, the researchers proposed that a tracking system could potentially leverage the
fact that sensors respond to an activational signal (at 125 kHz). This means that one could
implant a device that would issue the activational signal to trigger the transmission by the sen-
sor. Based on the average speed limit around the area, wireless capture devices could be
placed at appropriate distances to capture the data transmitted by the sensors. In this way, one
could cheaply deploy a system for tracking cars at various spots within a given city.
The gravity of this example stems from the fact that millions of cars have TPMSs and so
are transmitting sensor data that can be captured by individuals or devices in the vicinity—
and most people who own TPMS-enabled cars have no idea that their cars are transmitting
this information. Furthermore, there is no easy way for average car owners to turn the system
off, even if they wanted to (and most individuals will want to leave the system on, since they’ll
be more concerned about dangerously low tire pressure than about being tracked).
What makes this research interesting is that it encourages us to pause and reflect on how
we are going to design interconnected devices in the future. The lesson here is that over-the-
air communication of potentially trackable data can compromise the privacy of consumers,
especially in cases in which the platform is implemented in millions of devices whose shelf
life is measured in decades. Furthermore, device manufacturers must do a better job of
informing their customers what information is being transmitted and what it could mean to
their privacy.
Spoofing Alerts
Another type of scenario the University of South Carolina researchers contemplated is one in
which an attacker could potentially spoof wireless network data to trigger alerts in the victim’s
car. The researchers found that they could craft spoofed network packets transmitted from the
front-left tire of their car that would trigger an alert in the car on its right. The caveat here is
that the attacker using this approach would have to know the sensor ID of one of the tires of
the victim’s car. However, this can easily be obtained by issuing an activational signal. It was
found that the spoofed packets were picked up by the victim’s car as far as 38 meters away and
could trigger the car’s low pressure warning light.
During the analysis, the researchers attempted to transmit as many as 40 spoofed packets
per second and found this arose no suspicion on the receiving unit or the TPMS ECU, even
though the expected frequency of a sensor packet is once every 60 seconds. The researchers
also uncovered that the warning light would go on and off at “random” intervals when forged
packets with different pressure rates were transmitted at the rate of 40 packets per second.
Another peculiar thing uncovered during testing was the fact that, when a spoofed packet
was transmitted, the victim’s car’s TPMS ECU did not immediately turn on the warning sig-
nal but instead sent out two activational signals that caused the victim’s car’s sensors to
CHAPTER 6: CONNECTED CAR SECURITY ANALYSIS—FROM GAS TO FULLY(^162) ELECTRIC