TPMS (Tire-pressure monitoring system) sensors have been researched extensively
many years ago, they periodically transmit the tire pressure, temperature
and a unique ID which can be misused for tracking a vehicle. But there is
another aspect: modern TMPS sensors also have a receiver which is typically
used to trigger the data transmission when a new TPMS sensor is presented to
the vehicle (“learning procedure”).
Here in Europe TPMS sensors usually transmit on the 433 MHz ISM band. The
receiver operates on 125 kHz, very similar to LF RFID. A simple way to make
use of the receiver is just to look for the presence of the 125 kHz carrier
and then trigger data transmission. Current sensors are usually more evolved
and use a modulated carrier which contains command packets and only if the
correct command is received data transmission is triggered.
If you already have a receiver you can do of course more than just trigger
data transmission: For example there might be support for different
commands, some sensors even allow firmware updates this way.
One such command which is typically supported is switching the sensor into
“Shipping” mode. Why would you need that? When the sensor is operating
normally it waits for motion (there is an acceleration/shock sensor inside)
and only starts periodic data transmission when the wheel is rotating. This
is used to safe battery life. When the TPMS sensor is not yet mounted in the
tire it should not react on motion, thats why there is this “Shipping” mode.
In this mode the sensor only wakes up every few seconds and looks if there
is a 125 kHz signal, if yes it checks for a valid command, for example the
command to trigger data transmission which usually also leaves “Shipping”
mode and switches the sensor into normal operation.
This “Shipping” mode can be misused: If you can switch a TPMS sensor of a
vehicles wheel into “Shipping” mode the sensor will no longer transmit data
and the vehicle’s tire pressure control light will go on after a while.
Just to make it clear: This warning light is annoying to the driver, it
does not affect safety of the car because the deactivated TMPS sensor has
not affected the actual tire pressure.
I have looked at a few TPMS sensors for different cars if this really works,
I choose sensors for BMW and Ford cars. Please note that most certainly
other car manufactures are affected too, mainly because there are only a
few manufactures of TPMS sensors which deliver their sensors to various
car manufactures. My choice for BMW and Ford came from the fact that I
found lots of cheap, used sensor for those cars.
Also I only looked at “OEM” sensors for BMW and Ford, which means that those
sensors are mounted by the car manufacturer. There are also so called
“Universal” sensors which are typically mounted by tire dealers, there
are some notes about them at the end of this text.
It is quite easy to build a tool for transmitting data on 125 kHz: There
is this cheap EL-50448 TMPS sensor activation tool which only transmits a
carrier without modulation. However the hardware can easily be modified
to modulate the carrier: Most of the time OOK (On-Off Keying) is used
for communication, which means that the carrier is just turned on and off.
The EL-50448 uses a power driver with an unused “enable” pin to generate
the carrier, you can use this “enable” pin to modulate the carrier. The
data rate is slow, a frequently used rate is 3900 baud. Most of the time
Manchester encoding of the data bits is used, which means that the carrier
changes twice as much (7800 changes per second). This is nothing special
and can be done with probably any microcontroller you prefer to use. The
hardware costs for such a setup are below EUR 20, the transmission range
is about 20 centimeters.
How can you find the command to switch to Shipping” mode? Brute force by
trying all possible commands is only an option if the command is short.
The reason is that the sensor only looks for the LF 125 kHz signal every
few seconds. If the command is not longer than two bytes brute force is
possible (it takes a few days), for longer commands it is impractical.
Please note that you also have to find a way to detect if the command you
send causes a reaction of the TPMS sensor, e.g. by monitoring the power
consumption of the sensor or receiving the 433 MHz data signal (which of
course only works if the command you send causes a data transmission).
Another option is looking at those TPMS tools which tire dealers and
car repair workshops use to check TPMS sensors. Some of those tools
might support switching a TPMS sensor into “Shipping” mode.
Those are the results I found (I won’t go into the details to avoid misuse):

  • BMW:
    A certain sensor used in several car models from TPMS Sensor manufacturer
    “A” can be switched into “Shipping” mode. The deactivated TPMS sensor can
    be activated again with a different command. Also if the sensor detects a
    fast pressure change (e.g. by inflating the tire) the sensor leaves
    “Shipping” mode. The command length is four bytes so brute force is no option.
  • Ford:
    A certain sensor used in several car models from TPMS Sensor manufacturer
    “A” (the same manufacture as above for the BMW sensor) can be switched
    into “Shipping” mode, it is the same command as used by the BMW sensor
    from above. The deactivated TPMS sensor can be activated again with a
    different command.
    A certain sensor used in several car models from TPMS Sensor manufacturer
    “B” can be switched into “Shipping” mode. The deactivated TPMS sensor can
    be activated again with a different command. The command in this case is
    only two bytes and I tried all combinations which resulted in several more
    “interesting” commands, a few examples:

    • It is possible to completely turn off the TPMS sensor. In this case it
      will no longer react on anything, you have to break open the sensor
      case and apply a hardware reset or disconnect the battery to reactivate
      it again.
    • It is possible to switch the sensor into continuous “carrier transmit”
      mode on 433 MHz. In this mode the sensor will continuously transmit
      the 433 MHz carrier until the battery is empty or you apply a hardware
      reset (see above), it will not react on anything else. There are two
      other similar commands which transmit on the upper and lower shifted
      frequency (the sensor uses FSK modulation, Frequency Shift Keying, when
      transmitting data).

    Those examples show that it is basically possible to destroy this specific
    sensor by transmitting the appropriate command. Also if the sensor is in
    “carrier transmit” mode it probably disturbs the remote control car
    key fob which usually uses the same frequency as the TPMS sensor.

You have to be close to the sensor to send those LF 125 kHz signals but it
only takes a few seconds to send the signal. Using a larger antenna (which is
basically a coil) for the transmitter, e.g. large enough to fit in a suitcase,
might extend the transmission range to more than a meter.
How can those problems be avoided? This is actually quite easy, the command
to switch into “Shipping” mode should not be allowed if the measured tire
pressure is above a certain limit, which means that the sensor is mounted in
the tire of a vehicle. This also applies to those other commands of the sensor
from manufacturer “B” which are probably some kind of factory test or developer
commands. Please note that during my tests the commands I described were
possible even when the measured tire pressure was in the range of a typical
vehicle wheel.
I contacted the car manufactures (BMW and Ford) before I published this
article, this is the experience I made:

  • BMW:
    The contact information for reporting security issues can be found on
    the BMW website. I had a phone call with the responsible person within
    a few days after reporting the issue. BMW already knew the problem, they
    found it during an internal review. Their latest TPMS sensors have fixed
    the issue by blocking certain commands if the tire pressure is above a
    certain limit.
  • Ford:
    I wasn’t able to find a security contact on the website of Ford Germany
    so I contacted the person responsible for “Public Relation”. He promised
    to look for someone who takes care of the issue I reported, after several
    days I got a reply that it is possible to disturb the TPMS system due to
    the nature of radio transmission and that this is a known problem. I wasn’t
    able to communicate directly with the responsible person and I then replied
    that the reported issue is not about disturbance but a “Denial of Service”
    and that it is even possible to destroy a certain TPMS sensor used in Ford
    cars. I didn’t receive any further information about the security issue, I
    notified them again after several weeks that I am now going to publish
    the issue which was acknowledged.

Some notes about those “Universal” sensors tire dealers normally use: Those
sensors are “Universal” because they can be programmed for different car
models. The main benefit for the tire dealer is that only a few different
kind of “Universal” sensors have to be on stock, its not necessary to have
lots of different “OEM” TPMS sensors for every possible car model lying
around. The programming of those “Universal” sensors most of time uses the
LF 125 kHz signal to transfer the programming data to the sensor. Many of
those “Universal” sensors can be reprogrammed regardless of the measured
tire pressure so an obvious “Denial of Service” attack on those sensors is
to simply reprogram them for a different car model.