Your car’s tire pressure monitoring system—that helpful dashboard light warning you about flat tires—doubles as an unintentional tracking beacon. Spanish researchers from IMDEA Networks Institute just proved this vulnerability works in the real world, deploying cheap radio receivers along roads to capture over 6 million signals from more than 20,000 vehicles during a 10-week study. If you’re driving a Toyota, Renault, Hyundai, or Mercedes with direct TPMS sensors, your movements are broadcasting in cleartext to anyone who cares to listen.
Radio Signals With Zero Privacy Protection
The technical reality sounds like something from a spy thriller, except it’s embarrassingly simple. Those TPMS sensors transmit unencrypted radio signals containing unique lifetime IDs, detectable up to 50-60 meters away using $100 software-defined radio equipment and basic antennas. Unlike security cameras that need visual line-of-sight, these radio signals penetrate walls and obstacles. Think AirTag-level tracking capabilities, except the device is already installed in your wheels and you can’t turn it off.
From Convenience to Criminal Opportunity
The attack scenarios read like a privacy nightmare checklist:
- Burglars could monitor residential areas to learn when you consistently leave for work
- Cargo truck thieves might analyze routes and vehicle weight changes by monitoring pressure baselines, then spoof flat-tire alerts to force drivers into roadside stops
- Employers could track delivery drivers without consent
- Data brokers or government agencies could deploy receiver networks for mass surveillance
Your daily Starbucks run becomes a trackable pattern available to the highest bidder.
Regulatory Blindspot Meets Industry Ignorance
Here’s the regulatory gap that enabled this mess: UN Regulation No. 155, which covers vehicle cybersecurity in 54 countries, explicitly excludes TPMS from its requirements. No encryption standards exist for these systems, and reports suggest automakers remain largely unaware of the vulnerability.
“As vehicles become increasingly connected, even safety-oriented sensors like TPMS should be designed with security in mind,” notes Dr. Alessio Scalingi from the research team. The industry mandated these sensors for safety in 2007 but apparently forgot about basic privacy protection.
Limited Fixes for an Industry-Wide Problem
Your immediate options are frustratingly limited since retrofitting encryption into existing TPMS hardware isn’t feasible. Some vehicles use indirect monitoring systems that analyze wheel speed rather than broadcasting radio signals, but these generate more false alarms. The real fix demands industry-wide adoption of encrypted TPMS standards and updated regulations that treat safety systems as potential privacy risks. Until then, your tire sensors keep broadcasting your business to anyone with curiosity and basic radio equipment.
