Over on YouTube Andreas Spiess has been helping his friend create a pressure monitoring system for his home brew beer bottles. In order to do this, Andreas uses an externally mounted after market wireless tire pressure sensor whose data can be received with an RTL-SDR and the rtl_433 decoder software. Modern vehicle tires contain a TPMS (tire pressure monitoring system) sensor, which keeps track of tire pressure, temperature and acceleration. The data is wirelessly transmitted via 433 or 315 MHz to the cars dashboard and computer for safety monitoring.
In the first video Andreas discusses tire pressure monitors and how they could be used for other non-tire applications, talks a bit about the wireless protocol used, and how to reverse engineer it. He notes that the author of rtl_433 was able to implement his particular tire pressure sensor brand's protocol into the rtl_433 database, so now anyone can decode them. Finally in this video he also shows that he can easily spoof a flat tire signal using a HackRF and GNU Radio which might cause a modern high end car to refuse to move.
The second video shows how to continuously monitor that TPMS data for the home brew set up. Andreas uses an RTL-SDR and Raspberry Pi running rtl_433, which outputs it's data into Mosquitto, Node-Red, InfluxDB and the Grafana. These programs help to read, manage, log and graph the data. The rtl_433 program is also monitored by Supervisord which automatically restarts rtl_433 if the program crashes.
If you are interested, there is a related video that was uploaded in between the two shown below which shows how he created a 3D printed cap to mount the valve and tire pressure sensor on the beer bottles.
#261 Measure Pressure Remotely (including TPMS Hacking / Attack) for Beer Brewing
Safely Monitor and Alarm with Supervisord and Telegram
Over on YouTube the channel "Lead Cyber Solutions" has uploaded a video presentation for the Cyber Skills Competition. In the video Christopher Flatley, James Pak and Thomas Vaccaro discuss a man-in-the-middle attack that can be performed on vehicle Tire Pressure Monitoring Systems (TPMS) with a transmit capable SDR such as a HackRF.
A TPMS system consists of small battery powered wireless sensors placed on a vehicles wheels which automatically monitor tire pressure. An LCD basestation usually exists on the dashboard of the car indicating live tire pressure. Most modern cars come with this feature, and it is simple to retrofit an older car with an aftermarket TPMS system.
The idea behind the vulnerability is that a HackRF can be used to reverse engineer the TMPS signal, and then re-transmit a new fake signal that causes the base station to read the tire pressure as low. This can set off an alarm in the car and possibly cause someone to pull over. More alarmingly, they discuss how tractors have automatic tire inflation systems which work using similar sensors. A false low pressure reading could cause the tractor tires to over inflate and be damaged.
Vulnerabilities in Vehicle TPMS (Exploit & Hacking)
In the past we have also posted about Jared Boon's work on TPMS where he shows how privacy could be breached by monitoring and tracking TPMS identifiers.
Tire Pressure Monitoring Systems (TPMS) are comprised of sensors that are designed to measure the tire pressures on a vehicle and then wirelessly transmit the data to a monitoring computer, which will then alert the driver when the tire pressure is incorrectly set.
At the Toorcon conference, Jared Boon has given a talk showing how he used an RTL-SDR and a GNU Radio program that he developed to reverse engineer the TPMS wireless protocol, and read the data that is sent. Jarod also notes that TPMS is potentially a security risk that could be used to track cars. The talk has been uploaded to YouTube and is shown below.
Reversing Tire Pressure Monitors with a Software-Defined Radio