Exploring Vulnerabilities in Tire Pressure Monitoring Systems (TPMS) with a HackRF
Over on YouTube the channel "Lead Cyber Solutions" has uploaded a video presentation for the Cyber Skills Competition. In the video Christopher Flatley, James Pak and Thomas Vaccaro discuss a man-in-the-middle attack that can be performed on vehicle Tire Pressure Monitoring Systems (TPMS) with a transmit capable SDR such as a HackRF.
A TPMS system consists of small battery powered wireless sensors placed on a vehicles wheels which automatically monitor tire pressure. An LCD basestation usually exists on the dashboard of the car indicating live tire pressure. Most modern cars come with this feature, and it is simple to retrofit an older car with an aftermarket TPMS system.
The idea behind the vulnerability is that a HackRF can be used to reverse engineer the TMPS signal, and then re-transmit a new fake signal that causes the base station to read the tire pressure as low. This can set off an alarm in the car and possibly cause someone to pull over. More alarmingly, they discuss how tractors have automatic tire inflation systems which work using similar sensors. A false low pressure reading could cause the tractor tires to over inflate and be damaged.
In the past we have also posted about Jared Boon's work on TPMS where he shows how privacy could be breached by monitoring and tracking TPMS identifiers.