Defcon: Hacking Tire Pressure Monitors Remotely

A new vector for hacking a cars computer wirelessly

Current Job Listings

I attended an interesting talk at Defcon today that revealed a potential security vulnerability that I never would have thought of in a million years. Yep, hacking the tire pressure monitoring system in your car. The talk called "Letting the Air out of tire pressure monitoring systems" was by Mike Metzger. Turns out the attack surface for such an attack is huge. In the U.S. the Tread Act mandated that every car built after 2007 must have a tire pressure monitoring system built-in. It also turns out that car tire pressure monitors (TPMSS) use unencrypted RF for the communication between the tire and the receiver. TPMS sensor alarms are what turn on that annoying low pressure light we are all familiar with on your dash console.

At first brush it doesn't seem like a big deal, who cares that you can hack my car and turn on my little pressure light. Annoying sure, but I don't really care. Or I didn't think I cared until I learned that the RF receiver is hooked directly into the cars ECU. The ECU is the computer in your car that controls almost all functions of your cars systems. Everything from fuel injection, exhaust, fuel mix, electricity, engine stats, timing, and lots more are controlled by your cars Engine Control Unit (ECU). Another scary thing is that the RF receiver that talks to the sensors on each tire is usually the same RF system that talks to your remote key fob to open the doors and disarm your security system. Here is a quick run through of the talk. There are several types of TPMS systems but the most prevalent is the direct battery operated type. This was also the one focused on in the Defcon session. The TPMS is made up of 4 or 5 sensors (5 if it monitors your spare tire pressure). Each sensor is located inside of your tire right by the valve stem. See the image for a typical sensor.

The sensor has a battery, ASIC for pressure monitoring and RF components. These sensors then talk to a RF receiver usually found either in your trunk or glove box. It is usually the same RF receiver that is used for your key fob. The TPMS system uses either the 315mhz or 433mhz frequency and does uses encoding but not encyption. A unique ID is burned in to every sensor (kind of like a MAC address). It is this address that the system uses for addresses and each sensor registers with the cars ECU at either the factory or the dealer using "special" tools. The numbers are supposed to be unique so if your TPMS RF picks up sensors from a car driving next to you the system knows it should ignore those signals because they are not registered to it. The TPMS system usually accommodates up to 10 sensors at a time. This is so if you have a set of snow tires you don't have to go to the dealer and have them relearn your sensor IDs twice a year. It is important to note that by design the TPMS system sensors are only active when the car is moving faster than 20mph (based on tire rotation speed), a "special" low frequency transmission is received , or a magnet is applied nearby. Once active the sensors send their pressure info once every minute unless there is a problem (like rapidly decreasing pressure). All of the TPMS info is sent to the cars ECU for processing and action. The speaker went through the details on how to build your own "special" tool to force a "sensor" to register to the ECU and went through a bit about the commands that it will accept. To this point the researcher has been able to compromise the TPMS system itself but hasn't had time to attack the ECU yet. So for now we are safe except for the annoying low-pressure light. Of course Mike will try and find some buffer overflow or other vulnerability that allows him to escape into and own the ECU itself. If possible this would allow for all sorts of nastiness like shutting off a car that is running, damaging the engine by setting bad values in the ECU, creating power issues, etc. Modern ECUs sometimes include features such as cruise control, transmission control, anti-skid brake control, and anti-theft. If he finds something I'm sure we'll hear about it at the next Defcon! For more info see here: http://www.defcon.org/html/defcon-18/dc-18-speakers.html#Metzger Or more here http://en.wikipedia.org/wiki/Tire-pressure_monitoring_system

The opinions and information presented here are my PERSONAL views and not those of my employer. I am in no way an official spokesperson for my employer.

More from Jamey Heary: Credit Card Skimming: How thieves can steal your card info without you knowing it Google Nexus One vs. Top 10 Phone Security RequirementsWhy you should always shred your boarding pass Video rental records are afforded more privacy protections than your online dataThe truth about new SSL attacks 2009 Top Urban Legends in IT Security/a>Go to Jamey’s Blog for more articles on security.

*

*

*

*

*

*

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Now read: Getting grounded in IoT