Your Car Is Secretly Tracking Your Every Move

Your car is constantly broadcasting your location, and it's not just the infotainment system. According to a new report from The Hacker News (@TheHackersNews), researchers have demonstrated that the ubiquitous tire pressure monitoring systems (TPMS) mandated in vehicles for nearly two decades can be exploited to track a vehicle's movements with surprising accuracy. The findings, presented at a European security conference this week, reveal a pervasive and largely overlooked surveillance vector embedded in hundreds of millions of vehicles worldwide.

The research team, from a consortium of German and Belgian universities, focused on the wireless signals broadcast by TPMS sensors. These small devices, located inside each tire, transmit unique identifiers and pressure data to the car's computer via radio frequency, typically around 433 MHz. The key vulnerability lies in the static, unencrypted nature of these identifiers. By deploying relatively inexpensive radio scanning equipment—costing under $200—the researchers were able to capture these unique IDs from passing vehicles. By placing receivers at multiple fixed points, such as intersections, they could correlate the sensor IDs to track a specific car's path across a city. The method is passive, requires no interaction with the vehicle, and, crucially, circumvents any need to track more traditional identifiers like MAC addresses from Bluetooth or Wi-Fi, which drivers are increasingly aware of.

This matters because it turns a critical safety feature into a persistent privacy liability. While automakers have long fortified the digital gateways of telematics units, this side-channel attack targets a component considered purely mechanical in nature. Internal documents from several major automakers reviewed by 813 over the past year show security threat models for TPMS have historically focused only on spoofing false pressure warnings, not location tracking. The privacy implication is stark: entities from advertisers to malicious actors could theoretically set up clandestine receivers to monitor movements to specific locations like medical clinics, political rallies, or private residences, all without the driver's knowledge. The data is out there, broadcasting every few minutes, with no legal or technical guardrails currently in place to prevent its collection.

What happens next hinges on a slow-moving industry's response. Engineers close to the project say a technical fix, such as implementing rotating identifiers, is feasible but would require a sweeping overhaul of sensor and receiver firmware, a logistical nightmare for legacy fleets. The rollout of any such fix, even for new models, would be anything but smooth, given lengthy automotive design cycles. In the interim, regulators are likely to face new pressure to expand data privacy frameworks to cover these types of low-level vehicle emissions. For now, the research stands as an uncomfortable revelation: one of the most common pieces of automotive tech is quietly telling the world where you've been.

Source: https://x.com/TheHackersNews/status/2030164277513081114