back to article Hackers spoof car warning system

Computer scientists have brought new meaning to the term war driving by hacking into a moving car's wirelessly-connected warning systems and generating fake error messages. A team from the University of South Carolina and Rutgers sent fake tire pressure messages to the onboard computer, generating bogus warning messages. Tire …


This topic is closed for new posts.
  1. Anonymous Coward


    So other than tires, which for obvious reasons cannot be hard-wired into a car's computer system, and bluetooth phone connections, exactly what other car systems rely on expensive and flaky wireless rather than wired connections for their control-and-command infrastructure?

    I have to believe this is alarmist nonsense.

    1. JC 2

      @ WTF?

      Ah, but the thing is if ANYTHING uses wireless then the hacker has a potential access point into the computer(s). As more of the subsystems interact with each other it is conceivable that using the wireless connection the hacker could inject many different kinds of data, even if the origin of that data was normally a wired connection all they have to do is generate the trouble data code and let the car's computer react in turn. Right now we usually see individual sensor lines to the computer but a bus with multiple sensors on the same subsystem would seem to be the natural trend in automobile electronics evolution.

      For example, no oil pressure = shut engine off. Imagine a movie theater where you have a fire alarm. You don't actually have to activate the existing fire alarm to make people think a fire alarm has gone off, you only need to send the same data to the (computer) brain like the sound and lights associated with an alarm.

      While I don't suggest this level of hacking is possible today, we do see where car design is moving forward towards more complex computing systems that will inherently introduce more bugs as the code base grows.

      1. Charles Manning

        Not really...

        The tyres don't have access to the onboard network directly. The tyres just report data to a sensor that reads the tyre data and reports it to the system. This sensor can only generate tyre data. It is not a generic data gateway that can fake engine data etc. All you've done is mess with the sensor data.

        Sure you can now trigger tyre pressure warnings. You have not actually achieved access to the vehicle network, just spoofed a sensor.

        Not really much different to shining a laser at a temperature sensor to trigger it and triggering an oil temperature warning (except that this can be achieved remotely).

        The biggest problem is really that to the Great Unwashed, hearing "wireless" sounds like a network level intrusion.

        Or course you could hypothesise some potential alarmist scenario where car designers would use wireless for other more critical data (engine, drive train, airbags...) but they don't do this. This is just alarmism.

  2. Anonymous Coward

    Dear Science guys...that seems to me to be a pointless waste of time...

    Far better that they get these wheels to let the local fuzz know where they are at all times....

    Oh dear we seem to have a sudden loss of tyre pressure in all four alloy wheels at the same time....I wonder why that is.

  3. Someone Else Silver badge

    The first thing that got my attention was...

    ...that tire (or tyre, for those of you that drive on the "other" side of the street) pressure sensors are **mandatory** on all cars in the colonies since 2008. While a nice option, I guess it further goes to show that folks on this side of the pond can't be arsed to get out of the car and check their own tires.


    (Or...perhaps one should instead ask which Congresscritters have a hidden financial interest in the companies that make said sensors...Sheesh again!)

  4. No 3

    Not all are wireless

    Something not mentioned is the tire pressure monitoring system on many cars ISN'T WIRELESS.

    The computer just uses the ABS sensors on the weeks to detect a wheel that rotates faster then the others to trigger a flat tire warning.

    So, for those cars there's nothing to exploit with regards to that system.

  5. Thomas 18

    Wait a minute?!

    Are they suggesting that safety critical systems shouldn't feature superfluously wireless communication?

  6. Martin Gregorie

    So we should be thankful that....

    .... malware infections of vehicle systems have never occurred

    ==> YET <==

    1. Anonymous Coward


      It has happened in Knight Rider, and again in Team Knight Rider.

      Coat, hat, Kitt!

  7. Anonymous Coward

    ... furthermore...

    Wow. Cars can be tracked through these sensors.

    Almost as dangerous as requiring all vehicles to display a unique identifier of some sort, possibly mounted fore and aft?

    1. Pascal Monett Silver badge

      Unique identifier fore and aft

      No more dangerous than having a unique physical identifier per individual (ie: a face).

      There is an enormous difference between being recognizable anywhere and being trackable everywhere. That difference is called privacy.

      If I drive my car to given destination, I do not expect the police - or anyone else, for that matter - to take any notice of my trip as long as I do not cause any accident. Even if a patrol car happens to follow the same route for a few kilometers (or miles), I don't expect them to write my number down until I actually do something reprehensible (like cross a white line, or exceed the speed limit).

      If my trip becomes a line in a database whether I've done something wrong or not, then there is violation of my privacy and i will fight against it as much as I can. Nobody has any business tracing my activity without my express consent if I remain within the limits of the law.

  8. Michael C

    incomplete data

    I don't know what cars they checked this with, but my car has to be "trained" to listen to a tire sensor. Every time I rotate the tires, we have to go through a jiration process of moving the car key, gas peddle, and stereo buttons to put it in learn mode, then after a few miles it IDs the 5 sensors (4 tires and spare) that have managed to stay with the vehicle eliminating other tire IDs from other cars, and the determines which tire is on which hub so the controls can tell me the front right tire is low.

    If they had the ID and could send a powerful enough broadcast to overpower the one from the tire, and stick with my car long enough to trigger it to tell me I had a flat then a) i'd know I don;t (i've had many flats, its pretty friggin obvious, and I'd know to ignore the sensor.) Even if I fell for it and pulled over, i'd quickly ID it is faulty readings, which turns out to be harmless other than wasting my time, they're not hacking the engine...(that's been proven not possible). If I did figure I'd been spoofed, it would have to be a car that had been with me for a few miles thus far, and might even be easy to ID based on looking at other drivers, and I'd call 911 and have them arrested.

    Any "hack" that puts you in close proximity to a mark, for an extended period of time, and takes $1500 worth of hardwarer to pull of (without any financial gain or benefit mind you) and which could be seen by the law as potentially harmful or dangerous (or property damaging), is simply not going to be pulled off in any reality setting other than as a proof of concept.... The most this will do is lead to manufacturers changing the TPMS system slightly to prevent such tampering.

    Also, as for the "privacy" concerns... a) its illegal for them to collect that data. b) its a FUCKTON of data to keep and would require tens or hundreds of millions in servers and software just to real-time process the signals (let alone thousands of networked sensors), and then on top store and process that data to build patters on people, and c) if they want you, all they need is a warrant and a magnetic GPS device, or a cell trace, so such a monitoring system is completely unnecessary.

    1. Anonymous Coward
      Thumb Down

      That privacy thingy

      "Also, as for the "privacy" concerns... a) its illegal for them to collect that data."

      So far, that has not kept too many people from doing it. Ask Google, Microsoft, the U.S. Federal Government just to mention the first three that pop to my mind.

      "b) its a FUCKTON of data to keep and would require tens or hundreds of millions in servers and software just to real-time process the signals" Not exactly true. Many car manufacturers already offer the service of tracing their cars for the customer's (in)convenience. First of all, the data is compressed, which can be done at a very low overhead without data loss -- we're talking about text and numbers here. Secondly, since it's just text and numbers being transmitted, it's not really all that much data in the first place. Thirdly, this is the age of Terabyte-plus hard disks stacked up in large arrays. Data storage is not a big investment, and data handling -- once again, it's some text and numbers -- is something that could be done with a few late 1990s workstations, let alone the boxes the car manufacturers have standing around, idling along until the next crash simulation is slotted in. Now, THOSE require some oomph. Location and tyre pressure data, even of a few million vehicles, does not even spin up the cooling fans.

      "c) if they want you, all they need is a warrant " Not in the U.S. They don't even need a warrant there. They can just barge in on a telco and demand all the files kept on a person, and if the Telco won't comply, it faces severe trouble. Several agencies that had routinely done that have been retroactively declared sacrosanct by the Bush administration, and the Obama administration has done absolutely nothing to rectify this blatant breach of the U.S. Constitution and several of its amendments.

    2. Anonymous Coward
      Anonymous Coward

      Yes, let's try and argue the obvious away

      "If they had the ID "

      Yes, they can get that easily enough. You just explained how your car does it: By listening for everything it can find and then filtering out the obvious mistakes. So take two cars, force a reacquirement, and drive them really close for a couple miles, and suddenly both think they've got 10 wheels. Or maybe they'll just pick the five they heard first. Who knows.

      Not exactly difficult for someone with a display showing all the tags in the vicinity and an awareness of where he's driving to figure it out without the target even noticing.

      "and could send a powerful enough broadcast to overpower the one from the tire"

      No if about that.

      "Even if I fell for it and pulled over"

      Exactly what "they" might have been after. And for some purposes that may well have been worth $1500 and a good chunk of time figuring it out. Even for one single use.

      The point isn't that it may or may not be practicable -- which it is, and is relatively cheap as such things go, and they only get cheaper afterward. The point is that the way the manufacturers went about implementing this stupid law means yet one more obvious attack vector that could have easily been avoided. Only because the people in charge "forgot" to implement even the most basic security, perhaps out of cost considerations. And why not, it's just a tickbox item for them. And the chips are cheap. Let's sprinkle some more around!

      That cheap sprinkling about of chips reachable by radio and devoid of any security is a trend that, frankly, worries me. And not without cause. Let's see how much abuse it takes for the rest of us to re-learn basic security lessons, shall we?

    3. RJ

      Citation needed

      "Even if I fell for it and pulled over, i'd quickly ID it is faulty readings, which turns out to be harmless other than wasting my time, they're not hacking the engine...(that's been proven not possible)."

      -- Michael C.

      Citation needed for the fact that "hacking an engine" is impossible, citation should verify every single EMS system under the sun to backup statement.

    4. Geoff Campbell Silver badge

      "Proven not possible"?

      Oh, really? That's a proof I'd like to see.


  9. Anonymous Coward


    In a car?

    Why? You've got to get power to the sensors so why not run a data link down there at the same time?

    I guess some loony thought it was a good idea to save money, or something.

    1. Steve Evans

      So Mr smarty pants A/C...

      How would you connect a wire to a tyre pressure sensor? That's tyre as in big rubber thing that goes round and round and round and round and round (getting the idea now?).

    2. Anonymous Coward

      Think a bit next time...

      The sensors either use an embedded lithium cell or are powered remotely by the transceiver. How exactly did you think someone could run a power cable into a wheel?

    3. amanfromearth

      Wrongo pongo

      Most tyre pressure monitoring systems do not require power in the wheel.

    4. Magani

      Sensor Power...

      Dear AC,

      Last time I looked, the sensors were battery powered.

      I guess 'some loony' didn't think that through?

      1. Steve Roper

        All of you

        who think there's no way to get power from a stationary source into a rotating object have obviously forgotten (or never learned) about how commutators and brushes in electric motors work...

        1. Geoff Campbell Silver badge

          Slip rings for electrical contacts

          What puzzles me, however, is how the air lines work for the really fancy tyre inflation system that can work as the car is being driven. There must be some really trick seals involved in that setup.


    5. Anonymous Bastard

      Tomorrow's World

      I seem to recall seeing a clever invention that would generate electricity when flexed. It was announced that a strip of this around the inside of a tyre would then be able to power a small wireless transmitter when the tyre started going flat. You see, although the flat bit is always at the bottom it doesn't stay in the same place relative to the rubber, so it is constantly bending as you drive. Measure how much electricity is being generated and you have a flat tyre warning.

  10. John Smith 19 Gold badge

    Safety critical sensor with *no* authentication

    Let me guess that the handling characteristics of your vehicle will change drastically when your vehicle thinks one (or for real "fun") more of your tires has blown.

    Smart. Make that mandatory and require *no* security.

    Good job.

    1. Anonymous Coward

      Nice guess

      Unfortunately wrong. The TPMS only generates a warning that there might be a problem. Handling characteristics would only be affected by an actual tyre problem. Any stability system wouldn't be connected to this, the relationship is indirect and based on deviation between measured and 'normal' behaviour and as the tyres aren't flat this isn't going to be happening.

      1. david bates

        Not necessarily...

        ONe of the new Chinese car manufactureres (I forget which one...) decided on a new safety system where, if the car detected a flat tyre it would automatically apply the brakes to stop you dangerously driving on a flat.

        It was then pointed out to them there might actually be very good reasons for needing to stay as much control as possible in the even of, say, a blowout.

  11. JP19

    So what

    A wireless link between a car tyre and instruments isn't secure because no one gives a shit. Do they think crims are going to go round demanding money with the threat of putting a temporary false warning on your dash?

    As for car tracking maybe they never noticed the big plates with a unique combination of numbers and letters front and back.

    1. DaveyDaveDave

      "the threat of putting a temporary false warning on your dash..."

      ...that makes you pull over to check the tyres yourself, with, "the crims", very close to your car...

      Get it yet?

  12. Matt 21

    Didn't look which type of car

    ...but I can say that the VAG group uses the ABS system sensors to spot if a wheel is spinning at a different speed and therefore likely to have lost pressure.

    It's not wireless and therefore invulnerable to this kind of hack. To be honest I thought all European manufacturers who gave these warning used the same technique.

  13. Anonymous Coward
    Anonymous Coward

    yeah, but...

    This is all very clever, but what's the practical application? I mean, apart from being showcased as the latest Q-branch gadget in a (probably never coming) Bond film. I could see this being useful for a narrow spectrum of BlackOps mission profiles, but where could this be problematic for us regular blokes going about our daily lives? I don't travel abroad much, so I needn't worry about being kidnapped by the Russian mafia or Taliban or whatever.* CIA/NSA/FBI aren't subtle enough to use something like this, so no real usefulness there either.

    I suppose they eggheads behind this are merely employing a variation Sir Edmund Hillary's maxim.

    * but anon, just in case

  14. ElNumbre
    Thumb Up

    Key Sentence for me...

    The key piece of information is that there is no basic input verification. So if it blindly accepts data, does that mean that it is potentially vulnerable to buffer overflow or code injection style attacks? Interesting, but so far, not the end of the world.

    1. Anonymous Coward


      Lack of authentication doesn't mean anything with regard to overflows or injection attacks in this case.

      These systems are usually run with a very basic dedicated microcontroller and while they may accept spoofed sources due to only doing a sensor ident check, they still only do something with sensors they are expecting an input from. And the packets are fixed format with bounded values so you can't make the system do really stupid things. And even if you could get it to do something unusual it really doesn't matter because what's going to happen - you can't get anywhere into other systems and if you crash the uC it'll just restart.

      It's nice that someone thought it was worth the effort to 'prove' the lack of security in these systems - which is immediately obvious from the sensor/controller documentation - but the reason there's no security is because it isn't necessary - why bother with the complexity and overhead for something that no-one will bother with, and even if they do it won't matter anyway?

      1. Anonymous Coward
        Anonymous Coward

        Re: the reason there's no security is because it isn't necessary

        So all that ruckus about EBIL CHINESE HACKURS R IN TEH SCADA SYSTEMS is entirely unfounded? Oh well, more golfing time for the various "cybersecurity czars" then.

    2. amanfromearth

      No you twonk

      It's a sensor input. No data path to the canbus, see.

    3. Charles Manning


      This is not a general purpose data interface like a web browser or such. The wireless interface only knows how to process tyre pressure info. It will just grab a 40-bits or so packet, and parse it for sensor data. This will then be reported to the system as a tyre pressure status command.

      If you stuffed code or huge buffers into it all you'd get is crappy pressures.

      THis is not really much different to the link used by a wireless mouse (not the BT kind). If you could "hack" it, you'd be able to generate mouse clicks etc. You can't inject code via that interface.

  15. Oldfogey
    Black Helicopters

    Missing the point

    In Spain, it is a common technique for criminals to pull alongside your car and indicate that you have got a problem. When you stop to look, you are mugged.

    Bear in mind that in the open country or on a motorway it is quite usual to be in close proximity to the same vehicle for miles.

    So you are driving along, and the dash indicates a loss of pressure. Do you ignore it until it gets bad enough to feel, or do you pull in at the next parking place and check it out?

    And yes, there is probably far more wireless connection in your car than you think. The wireless chip is very cheap, copper wire is increasingly expensive and requires more labour to install. My 12 year old Peugeot has a wireless connection from the ignition key to the engine management system, and you can bet a new car has lots more.

    YOUR car will be part of Skynet.

    1. Joe H.


      "so we should be thankful that malware infections of vehicle systems have never occurred. "

      Just like the terminatrix did in T3?

  16. Mr Young
    Thumb Up

    Tyre pressure sensor?

    I use my eyes ( "that tyre looks a bit soft") I think. Anyway - hacking standard protocols for their not intended use is probably a little bit naughty. Good job they can't make a tyre fail happen - that really would be much worse than a dodgy flashing tyre pressure indicator on a modern plastic dashboard thingy

    1. Anonymous Coward
      Anonymous Coward


      Try guessing you tyres are a bit soft with a 40 or 35 profile tyre. Doesn't work too well...

      1. Mr Young

        Ye,Ye, mr AC

        I like your low profile tyre boasting, good stuff!!! Anyway - if my eyes aren't working properly I usually notice the tyre pressure problem when driving about.

  17. Andrew the Invertebrate

    The con men are gonna love this

    The con where they get tourists to pull over because of a supposed deflating tyre and steal the luggage whilst helping to change the tyre is going to get a lot easier to pull off.

  18. John Tserkezis

    Easy to fix...

    Firstly, a screwdriver through the alarm speaker (if you haven't already gotten sick of it endlessly fucking beeping while your door is open), then, a bit of black marker over the dash obscuring the warning light.

  19. Steve Evans
    Thumb Up

    Where can I order?

    Sounds like just what I need to get the slow moving taxi driver out of my way (why do they always do 28mph when they have passengers, and 35mph when empty?)...

    Oh, and just thing how great it would be to get the (insert latest rep mobile here) that's trying to climb into your boot/trunk to back off on the motorway?! Although in that case I think I'd still prefer a 6 inch steel spike I could launch out the back of my car and straight through the following radiator...

  20. Michael Kean

    Crashing the ECU?

    This from another article...

    "The pressure sensors contain unique IDs, so merely eavesdropping enabled the researchers to identify and track vehicles remotely. Beyond this, they could alter and forge the readings to cause warning lights on the dashboard to turn on, or even crash the ECU completely.

    Unlike the work earlier this year, these attacks are more of a nuisance than any real danger; the tire sensors only send a message every 60-90 seconds, giving attackers little opportunity to compromise systems or cause any real damage. Nonetheless, both pieces of research demonstrate that these in-car computers have been designed with ineffective security measures."

  21. Antony Riley


    People can typically track cars by their number plates, so yeh, that's a massive worry.

    This sort of stuff amazes me, it's already been shown that most of the firmware on electronic components in cars is vulnerable to buffer overflows, spoofing and just about every other slopping programming mistake in existence.

    Combine this with one sloppy mistake in the control software for the tire pressure sensors and you've got something out of a James bond movie.

  22. Christopher W


    My Dad's previous car (Toyota Avensis, circa 2007) had, like most Toyotas built around the turn of the 21st century, a 100% fly-by-wire accelerator system hooked into the ECM/ECU.

    I can imagine a time not too far from now when the entire pedalset is wirelessly linked, probably encrypted with WEP knowing how tempting it is to not bother with all that tricky 2048bit private key nonsense

    Mine's the one with a real metal key to put into the ignition of my backup 2001 Ford

  23. adnim

    I'm waiting for the...

    Apple patent. The signals from the tyre pressure sensors are picked up by an iPhone, this information is forwarded to Apple. Apple send Kwik Fit adverts to your mobile.

    Obvious really.

  24. Justin Maxwell


    "the trick reportedly took a great deal of ingenuity to pull off."

    WTF - that's like "what do we do first", "well, duh, sniff the wireless data"

    ten minutes later

    "tooooo easy!"

    Given the total lack of security considerations, I wonder if hardwired sensors in the car are tied into the same protocol, perhaps they could be targeted just by changing some sensor ID bytes in the wireless message.

  25. This post has been deleted by its author

  26. Steve Smith 5

    A bit OTT

    .....I mean all that bother just to try to con motorists out of 10p by making them think they have to use the tyre inflators on garage forecourts, when they pull in to fill up.

  27. James Woods

    topic is a little scary isn't it

    The world will come to an end tomorrow if people assume their vehicles have flat or low tires.

    Why not just say hackers deflate tire pressure indicators?

  28. Henry Wertz 1 Gold badge

    @Someone Else

    It's for car tracking. I have a 2000 Buick that uses the rotational speed comparison. It's effective, and required no extra hardware (since the car already has antilock brakes, it already has wheel speed sensors on each wheel). Requiring direct sensors is ENTIRELY unecessary, and it's transparent to me that it is so it's easier to track cars. I don't think there's some ubiquitous system to DO this, and there's assurances they won't do this. However...

    After assurances the telecoms would be held accountable, they were given blanket immunity for illegal wiretaps they performed. What's even worse is it didn't place the telecoms on even ground -- the head of Qwest REFUSED to permit illegal wiretaps, and told the gov't to get warrants. The gov't cancelled large contracts with them, then dug until they could find some pretext to arrest him. They decided he improperly documented something minor like $1000 in cash and stock and arrested him for it. So, I'm sure after the assurances these can't be legally used for tracking, well, they'll just be *illegally* used for tracking, then the gov't will give those people immunity too.

    Probably, if I get a newer car, I'll just replace my pressure sensor caps with plastic ones, and tape over the "low tire" light. I don't think I'm being watched, but I can check my own tires.

  29. Anonymous Coward

    Bit nasty

    Bad guy's see a lone driver, a woman perhaps, driving late evening, fake warnings in the car's dashboard, get driver to pull over...robbery, steal car or worse.

  30. Anonymous Coward
    Black Helicopters


    "so we should be thankful that malware infections of vehicle systems have never occurred"


  31. Henry Wertz 1 Gold badge

    Assembly language

    @Antony Riley, yes indeed. I'd be most interested to see what could be done with GM's software in particular. On the one hand, I think they keep the computers isolated. On the other hand, at least through the mid-1990s, the engine management software was written in pure assembly language. All sensor values were assumed to be a 1-byte value (0 for 0 volts/minimum value through 255 for 5 volts/maximum value.) Of course, 0 then indicates a dead sensor, unplugged sensor, or broken wire, while 255 indicates a short. These were older vehicles without a bus, I assume they wouldn't implement CAN in assembly 8-)

  32. Nick Wallis

    Static Identifier privacy concerns

    Interesting that the use of 32bit static identifiers "raises privacy concerns as vehicles can be tracked through these identifiers." when you need to be tracking the vehicle within "40 metres" in the first place.

    At which distance you can see that rather larger static identifier the number plate.

    Point well and truly missed.

  33. Graham Bartlett

    @Antony Riley

    "This sort of stuff amazes me, it's already been shown that most of the firmware on electronic components in cars is vulnerable to buffer overflows, spoofing and just about every other slopping programming mistake in existence."

    Has it? Show me.

    The only vulnerabilities I've ever heard of, as a professional automotive software engineer, relate to handling of the local in-vehicle network. *IF AND ONLY IF* you have direct physical access to the vehicle's CAN bus, you can inject invalid data. This is by design, because if you've managed to plug something into the CAN bus then you have physical possession of the car anyway.

    What *REALLY* amazes me is the phrase "control software for the tire pressure sensors", particularly in association with some fictional worst-case scenario, which tends to suggest that the author doesn't have a sodding clue. It's a sensor which does not interact with the control system. If your door isn't closed, does it affect the "control software" so that the car goes out of control? Thought not.

    You might also be interested to know that cars today are (and have been for decades) fully stable when you get a flat. The old A-Team meme of shooting out a tyre just cannot happen - the suspension physics doesn't allow it. The only reason today to shoot out a tyre is to slow the car down - the driver remains in complete control.

    So the absolute worst-case is a false-positive report of a fault. If there starts to be a big problem with people running around with $1500 of tyre-fault-spoofing equipment, and people's cars showing up a lot of annoying messages, then maybe something will be done about it. If not, who the hell cares? And as another poster has already pointed out, it's relatively straightforward to code up solutions to this, so it's only going to happen to cars with trivial (most likely first-generation) versions of tyre sensors anyway. And the worst that can ever happen is annoying messages coming up on the dash. Big Frigging Deal.

  34. ContentsMayVary

    Cheaper and quicker...

    If you wish to interfere with other car drivers, I think it would be much cheaper and quicker to simply shoot their tyres...

  35. Anonymous Coward

    Why won't you tell me

    What make or model of car is being referred to in the study?

This topic is closed for new posts.