TPMS (Tire-pressure monitoring system) sensors were actively studied many years ago. They periodically transmit tire pressure, temperature, and a unique ID that can be abused to track the vehicle. However, there is another aspect: modern TMPS sensors also have a receiver, which is usually used to trigger data transmission when a new TPMS sensor appears in the car (“learning procedure”).
In Europe, TPMS sensors usually transmit signals in the 433 MHz band (intended for ISM - industry, science and medicine). The receiver operates at 125 kHz, very close to LF RFID. The easiest way to use the receiver is to look for the presence of a 125 kHz carrier and then turn on data transmission. Modern sensors are usually more advanced and use a modulated carrier containing command packets; data transmission is enabled only if the correct command is received.
If you have a receiver, then, of course, you can not only enable data transfer: for example, it can support various commands, and some sensors even allow you to update the firmware in this way.
One such command supported is to switch the sensor to "Shipping" mode. Why is it needed? When the sensor works in the usual way, it waits for movement (there is an acceleration / shock sensor inside it) and starts periodically transmitting data only when the wheel is spinning. This is to conserve battery power. If the TPMS sensor is not already installed in the tire, it should not react to movements, therefore the "Shipping" mode is used. In this mode, the sensor wakes up only every few seconds and checks for a 125 kHz signal; if present, the sensor checks for valid commands, for example, a command to enable data transmission, which usually also exits the Shipping mode and switches the sensor to normal operation.
This "Shipping" mode can be abused: if we can switch the TPMS sensor of the car wheel to "Shipping" mode, the sensor will no longer be able to transmit data, and after a while the tire pressure monitoring indicator will light up. Here it is necessary to clarify: this warning indicator simply annoys the driver, but does not affect the safety of the car, because the disabled TMPS sensor does not affect the tire pressure itself.
I decided to examine several TPMS sensors from different cars for the possibility of such a shutdown. I chose sensors for BMW and Ford cars. It is worth noting that this is most likely the case for other car manufacturers as well, as there are a limited number of TPMS sensor manufacturers supplying sensors from various vehicle manufacturers. The choice of BMW and Ford was driven by the fact that I was able to find a bunch of cheap used sensors for these cars.
Also, I only looked for "OEM" sensors for BMW and Ford; this means that these sensors were installed by the car manufacturer itself. There are also "universal" sensors, usually installed by tire dealers; there are notes about them at the end of the post.
A tool for transmitting data at 125 kHz is quite simple to create: there is a cheap activation tool for TMPS EL-50448 sensors, which transmits only the carrier frequency without modulation. However, the hardware can be easily modified by providing modulation of the carrier: most of the time for data transmission, OOK (On-Off Keying) is used; this means the carrier is simply turned on and off. The EL-50448 uses a power amplifier with an unused enable pin to generate the carrier frequency, so you can use this pin to modulate the carrier. The baud rate is low, 3900 baud is often used. Most often, Manchester coding of data bits is used, that is, the carrier frequency changes twice as often (7800 changes per second). There is nothing special about this, and it can be implemented, probably,using whatever microcontroller you prefer. The cost of such a system will be less than 20 euros, and the transmission radius will be approximately 20 cm.
How do I find the command to enable Shipping mode? Brute-force checking all possible commands is applicable only if the command is short. The reason for this is that the transducer looks for a low frequency 125 kHz signal every few seconds. If the command is no longer than two bytes, then brute-force is possible (it will take several days), but it is not applicable for longer commands. It is also worth noting that you need to find a way to recognize if the TPMS sensor is responding to commands sent, for example, monitoring the sensor's power consumption or receiving a 433 MHz data signal (of course, this will work if the command you sent caused the data transfer).
Another option is to look for those TPMS tools that tire dealers and repair shops use to test TPMS sensors. Some of these tools may support switching the TPMS sensor to Shipping mode.
Here are the results I found (so that the data cannot be used for malicious actions, I will not go into details):
- BMW:
One sensor used in many passenger car models and manufactured by TPMS sensor manufacturer "A" can be switched to "Shipping" mode. A deactivated TPMS sensor can be activated with another command. In addition, if the sensor detects a rapid change in pressure (for example, when the tire is inflating), then the sensor exits the "Shipping" mode. The command is four bytes long, so brute-force is not applicable. - Ford:
, TPMS «A» ( , ), «Shipping». , BMW. TPMS .
, TPMS «B», «Shipping». TPMS . , , «» . :
- TPMS. , , .
- « » 433 . 433 . (. ), . , ( FSK-, Frequency Shift Keying).
These examples show that it is possible, in fact, to destroy that particular sensor by issuing the appropriate command. In addition, if the sensor is in the “transmit carrier frequency” mode, then it is likely interfering with the operation of the vehicle's key fob controller, which uses the same frequency as the TPMS sensor.
To transmit these low frequency 125 kHz signals, you need to be near the machine, but it only takes a few seconds to detect the signal. If you use a larger antenna for the transmitter (which, in fact, is a coil), for example, that fits in a briefcase, then you can increase the transmission radius to more than a meter.
How can you avoid such problems? It's actually quite simple - the command to switch to the "Shipping" mode should not be allowed if the measured tire pressure is greater than a certain limit, because this means that the sensor is installed in the tire of the vehicle. The same goes for other manufacturer “B” sensor commands, which are most likely some kind of production test or development teams. Note also that during my tests, the commands described could be executed even when the measured tire pressure was in the range of a standard car wheel.
Before publishing this article, I contacted the car manufacturers (BMW and Ford). Here's what came of it:
- BMW:
- BMW. . , BMW , . TPMS , . - Ford:
- Ford Germany, , « ». -, . , TPMS - , . , , , « » TPMS, Ford. . , , .
Notes on “universal” sensors commonly used by tire dealers: These sensors are “universal” because they can be programmed for different car models. For a tire retailer, the main benefit of such sensors is that it is sufficient to have a small range of “universal” sensors available and do not need to purchase many different OEM sensors for each car model. The most common use of a low frequency 125 kHz signal to program these “generic” sensors is to transmit programming data to the sensor. Many of these “universal” sensors can be reprogrammed regardless of the measured tire pressure, so the easiest way to carry out a denial of service attack is simply reprogramming the sensors for a different car model.
Advertising
Servers with free DDoS protection - that's about us! All servers "out of the box" are protected from DDoS attacks, create your own virtual server configuration in a couple of clicks.
