Wireless tire pressure monitoring systems (TPMS), now mandatory in most new vehicles in the United States, European Union, and many other markets, have emerged as an unexpected tool for covert vehicle tracking. A team of researchers from Spain, Switzerland, and Luxembourg has demonstrated that cheap roadside radio receivers are sufficient to build a large-scale TPMS-based tracking network, raising serious questions about automotive privacy and cybersecurity.
What Is TPMS and Why It Exposes Drivers to Tracking
TPMS is designed as a safety system: sensors mounted inside each wheel measure tire pressure and temperature and transmit this data wirelessly to the vehicle’s onboard control unit. To do this, each sensor periodically broadcasts small radio messages that include the measured values and a unique sensor identifier (ID).
The core vulnerability highlighted by the researchers is that TPMS transmissions are neither encrypted nor authenticated and always carry a static, non-changing ID. In practice, each wheel behaves like a radio beacon that can be uniquely associated with a specific vehicle, and this identifier typically remains the same for the entire lifetime of the sensor.
Unlike license plates or visible identifiers, TPMS IDs are not intended to be public, yet they are broadcast over the air and can be captured by anyone with basic radio equipment. This breaks fundamental privacy-by-design principles that are now commonplace in other Internet of Things (IoT) domains.
Low-Cost TPMS Tracking Infrastructure: Research Findings
In their experiment, the research team deployed a network of five software-defined radio (SDR) receivers, each costing roughly 100 USD. The receivers were positioned along major roads and operated continuously for ten weeks.
During this period, the infrastructure captured more than 6 million TPMS messages originating from around 20,000 distinct vehicles. Because TPMS IDs are static, the researchers were able to correlate signals over time, linking multiple captures to the same vehicle and reconstructing:
- probable travel routes and corridors,
- time windows when a vehicle appeared in a given area,
- frequency and regularity of trips through specific locations.
SDR hardware and open-source decoding tools are widely available, and similar setups are already used by hobbyists for aircraft tracking (ADS-B) and ship tracking (AIS). This underlines how TPMS-based tracking can be replicated at scale with modest technical skills and budget.
What Information Can Be Inferred from TPMS Radio Traffic
TPMS messages carry more than just an ID. The pressure and temperature data, combined with transmission patterns, allow an attacker to infer additional characteristics of the vehicle and driver behavior. According to the study, TPMS traffic can reveal:
- Presence of a specific vehicle in a defined zone at a particular time;
- Approximate vehicle type and weight, based on pressure profiles and tire characteristics;
- Driving style indicators, such as aggressive acceleration or heavy loads, inferred from how tire pressure fluctuates under stress;
- Preferred routes, regularly visited locations, and usage habits of the vehicle’s owner.
When TPMS data is combined with other sources—such as CCTV, toll records, Wi‑Fi probes, or license plate databases—the accuracy of individual driver profiling and movement reconstruction increases significantly. This mosaic effect is a well-known risk in data protection: seemingly low-value signals become highly sensitive when aggregated.
Threat Scenarios: From Mass Surveillance to Targeted Crime
Mass and Targeted Vehicle Tracking
A city-wide network of low-cost receivers placed at highway exits, parking lots, shopping centers, and business districts could enable continuous monitoring of vehicle movements. Once a TPMS ID is linked to a specific person (for example, by observing a car at a known home or workplace), an adversary could:
- Map daily commuting routes and schedules;
- Identify points of interest such as home, office, schools, and recreation spots;
- Estimate time windows when the person is likely away from home, facilitating physical crimes;
- Conduct persistent tracking of a single high-value vehicle.
Such capabilities are attractive not only to criminals, but also to unscrupulous data brokers, private investigators, or even state-level actors interested in surreptitious surveillance.
Active Attacks: TPMS Spoofing and Extortion
The absence of message authentication means an attacker can theoretically perform TPMS spoofing—injecting forged radio packets that mimic legitimate sensor messages. By sending fake alerts about “dangerously low tire pressure” or “sudden deflation,” an adversary can manipulate the driver’s behavior.
In the case of commercial fleets or freight transport, such spoofed warnings could be used to force trucks or vans to stop at predetermined locations. This creates opportunities for cargo theft, hijacking, or extortion. Similar proof-of-concept attacks on TPMS spoofing have been demonstrated in academic research for over a decade, underscoring that this is not just a theoretical risk.
How Automakers Should Secure Tire Pressure Monitoring Systems
TPMS was developed as a safety mechanism, but privacy and security requirements were largely absent in the original standards. As a result:
- Messages are transmitted in cleartext and can be decoded by anyone with a budget SDR receiver and simple antenna;
- Sensor IDs are static and globally unique, enabling long-term tracking of a specific vehicle;
- There is no cryptographic protection—neither encryption of telemetry nor authentication of the sending sensor.
From a cybersecurity and data-protection perspective, the minimum countermeasures should include:
- Dynamic or rotating identifiers that change over time and cannot be trivially linked to a single car;
- Encryption of TPMS telemetry so that only the in-vehicle control unit can interpret the data;
- Message authentication to prevent spoofing and ensure the control unit only accepts data from legitimate sensors.
Similar approaches are already standard in many IoT ecosystems and in newer automotive subsystems such as keyless entry and in-vehicle networks, yet TPMS and other legacy components have lagged behind.
The TPMS case illustrates how auxiliary automotive systems—originally intended solely for safety and convenience—can become powerful tools for mass surveillance and targeted attacks when privacy and security are not considered from the design phase. For automakers, suppliers, and regulators, this research is a clear signal that automotive safety standards must be expanded to include robust protection of drivers’ digital privacy. For drivers and fleet operators, it is a reminder that every “smart” feature in a vehicle generates data, and that assessing the associated cyber risks should become part of responsible technology use and procurement.
