Hackers could “hijack” the wireless pressure sensors built into many cars’ tires, researchers have found. Criminals might then track a vehicle or force its electronic control system to malfunction, the University of South Carolina and Rutgers University researchers say.
The team, which successfully hijacked two popular tire-pressure-monitoring systems (TPMS), will describe the work at the USENIX Security conference in Washington, DC, this week.
The tire-sensor attack poses little immediate risk to drivers. However, in recent months, research groups have identified other security weaknesses in vehicle electronics systems. As automakers add more powerful computers to cars, and connect those computers to critical components, in-car systems will need to be secured against hackers, experts warn.
A TPMS consists of sensors inside a car’s tires that measure pressure, and a central wireless antenna–or an antenna in each wheel in more expensive vehicles. An electric control unit (ECU) picks up the signal, and a warning light on the automobile’s dashboard warns a driver when tire pressure has dropped. As well as calculating pressure changes, the ECU filters out noise from sensors in neighboring cars, and compensates for pressure changes due to temperature. The TREAD Act, which Congress passed in 2008, mandates that all new vehicles produced or sold in the United States after that year are required to have this technology.
Using equipment costing $1,500, including a programmable radio transmitter, a specialized circuit board, and free software, the South Carolina-Rutgers team could pick up a car’s tire pressure readings. The researchers deciphered the communication protocol by experimenting with different parameters of the radio transmission.
The systems tested by the South Carolina-Rutgers team had very little security in place–they mainly relied on the fact that the communications protocol is not widely published. “In doing TPMS this way, [automakers] have left the door open to wireless attackers,” says Travis Taylor, one of the paper’s authors.
The team could eavesdrop on communications and, in some circumstances, alter messages in-transit. That let the team give false readings to a car’s dashboard. They could also track a vehicle’s movements using the unique IDs of the pressure sensors, and even cause a car’s ECU to fail completely.
“Normally, these [attacks would] result in small problems,” Taylor says. “But I see practical danger and damage that can happen from TPMS exploitation.”
Earlier this year, researchers from the University of Washington and the University of California, San Diego showed that they could take over the control systems of a popular model of automobile, causing the brakes to lock or the engine to cut out.
“The security and privacy problems that the authors identify in TPMS systems are likely just one among many that will challenge the automotive industry in the years to come,” says Stefan Savage, a UC San Diego professor of computer science and engineering and an author of the earlier report.
ECUs entered production vehicles in the 1970s, following the California Clean Air Act and a surge in gas prices. At first, the systems were just used to adjust the fuel-oxygen mix using data from the vehicle’s exhaust. But the use of ECUs has expanded since then, and today they are used in every aspect of monitoring and controlling automobiles. ECUs are responsible for a feature known as roll stability control–they can apply the brakes, reduce the throttle, and modulate the steering to keep a car from rolling over.
The South Carolina-Rutgers team stresses that it would be difficult to attack a car through the wireless tire system. One hurdle is that the tire sensors communicate infrequently–about once every 60 to 90 seconds–making it difficult to manipulate the system, especially if a vehicle is moving. They were able to overcome these hurdles, however, by shadowing a target vehicle, and using directional antennas.
Even so, UCSD’s Savage stresses that car-hacking is a theoretical threat for the moment. “One shouldn’t overreact to this kind of news,” says Savage. “It’s not the case, for example, that the authors have identified a means by which the TPMS channel can remotely compromise safety-critical systems, nor is there any evidence that this channel is being targeted, or even that there is a clear threat of it being a likely target in the near-term.”
Savage says his group has entered discussions with the “appropriate stakeholders” regarding the exploits they discovered. The South Carolina-Rutgers team has had no luck so far in contacting carmakers.
The Alliance of Automobile Manufacturers will take the appropriate steps to secure its vehicles, says spokesman Wade Newton. “While this concern isn’t unique to autos, we continue looking at this issue–before it becomes a problem,” he says.