TPMS in Toyota, Mercedes, Hyundai Enables Silent Car Tracking

Home » News
Yash Shield
News
Reading time icon 2 min. read

Calendar icon Published on

Tire Pressure Monitoring Systems in Toyota, Mercedes, Hyundai, and Renault cars send unencrypted data. This lets anyone with cheap receivers track vehicles and drivers passively. Researchers captured over 6 million signals from 20,000 cars in a 10-week study using $100 devices.

Direct TPMS sensors sit inside tires. They broadcast pressure, temperature, battery level, and a fixed 24-32 bit ID in cleartext. Frequencies hit 315 or 433 MHz at low power. No encryption protects these signals, unlike indirect systems in Volkswagen cars.

Signals travel up to 55 meters, even around corners. Transmissions happen every 30-120 seconds while driving. Some brands ping hourly when parked. Toyota sensors run nonstop, creating easy digital fingerprints for anyone listening.

Researchers from IMDEA Networks used RTL-SDR receivers on Raspberry Pi units. They covered 10,000 square meters near roads. Open-source rtl_433 decoded the data into databases. Tests at 50 km/h proved reliable omnidirectional capture.

Affected Manufacturers

ManufacturerTPMS TypeTransmission BehaviorKey Risk
ToyotadTPMSContinuous, hourly parkedAlways trackable
RenaultdTPMSMotion-triggeredRoutine inference
HyundaidTPMSUnencrypted IDEasy ID matching
MercedesdTPMSProprietary protocolCleartext data

These systems became mandatory for safety from 2007-2012. UN Regulation 155 covers car cybersecurity but skips TPMS. Gaps leave privacy exposed despite global rules.

Attackers match tires to cars using Jaccard similarity on signal clusters. Coverage jumps from 40% with one ID to nearly 100% with four. Patterns reveal work hours, remote days, lunch spots, or trips.

Tire pressure hints at vehicle type or load. Cameras link it to owners. Burglars spot empty homes. Firms surveil employees. Spoofing jams signals for chaos.

Tracking Techniques

  • Jaccard index clusters co-occurring IDs: J(A,B) = |A ∩ B| / |A ∪ B|.
  • Temporal analysis spots routines like 8 AM arrivals.
  • Pressure trends track maintenance or weight changes.
  • Scale to city-wide surveillance without plates.

Newer Cyber Tyre from Pirelli uses BLE. It remains eavesdroppable and costs extra. Fixes need ID encryption, rotation, or silent modes. Regulations like EU 2019/2144 must add TPMS rules.

Drivers lack disable switches. Trigger tools read IDs for checks. Aftermarket encrypted sensors exist but prove nothing yet.

FAQ

Which cars have vulnerable TPMS?

Toyota, Renault, Hyundai, Mercedes with direct sensors.

How do attackers track cars?

Capture unencrypted IDs and pressure data up to 55m away.

What data gets broadcast?

Tire pressure, temperature, battery, fixed 32-bit ID in cleartext.

Study captured how many signals?

6 million from 20,000 vehicles over 10 weeks.

Any fixes available?

Encrypt IDs, rotate them; update UN R155 for TPMS.

Can drivers disable TPMS?

No built-in option; aftermarket unproven.

Yash

Yash Shield

I am a Business Analytics student with a strong interest in publishing well-researched and data-driven news articles. I focus on analyzing trends in business, finance, and technology to create clear, accurate, and engaging content for readers. I enjoy transforming complex data and information into simple, meaningful stories that help audiences understand current developments. With analytical thinking and attention to detail, I aim to deliver credible and insightful news that adds real value to readers.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages