Tire pressure monitor systems could reveal driver location
IDG News Service - Researchers from Rutgers University and University of South Carolina have found that wireless communications between new cars and their tires can be intercepted or even forged.
While the potential for misuse may be minimal, this vulnerability points to a troubling lack of rigor with secure software development for new automobiles, said Wenyuan Xu, a computer science assistant professor at the University of South Carolina, who was a co-lead on the study.
"If no one mentions [such flaws], then they won't bother with security," Xu said.
The researchers will present their findings at the Usenix Security Symposium, being held this week in Washington D.C.
The system that the researchers tested monitors the air pressure of each tire on an automobile. The U.S. has required such systems in new automobiles since 2008, thanks to legislation passed after controversy erupted over possible defective Firestone tires in 2000. The European Union will require new automobiles to have similar monitoring systems in place by 2012.
As computerized systems are being increasingly used in automobiles, critics such as Xu are asking what safeguards system makers are putting in place to prevent vulnerabilities in such systems, knowing that bugs and security holes invariably sneak into all software.
Toyota came under the scrutiny of U.S. law makers earlier this year, who asked the car maker if software bugs could be a reason for the unattended acceleration of its vehicles, a charge Toyota officials denied.
With such systems, "people just try to make things work first, and they don't care about the security or privacy during the first run of design," Xu said.
The tire pressure monitoring systems (TPMS) consist of battery-powered radio frequency identification (RFID) tags on each tire, which can respond with the air pressure readings of the tire when wirelessly queried by an electronic control unit (ECU).
The researchers had found that each sensor has a unique 32-bit ID and that communication between the tag and the control unit was unencrypted, meaning it could be intercepted by third parties from as far away as 130 feet.
"If the sensor IDs were captured at roadside tracking points and stored in databases, third parties could infer or prove that the driver has visited potentially sensitive locations such as medical clinics, political meetings, or nightclubs," the researchers write, in a paper that accompanies the presentation.
Such messages could also be forged. An attacker could flood the control unit with low pressure readings that would repeatedly set off the warning light, causing the driver to lose confidence in the sensor readings, the researchers contend. An attacker could also send nonsensical messages to the control unit, confusing or possibly even breaking the unit.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Is Your Big Data Solution Production-Ready? Read "Is Your Big Data Solution Production-Ready?" now, and discover best practices and actionable steps to implementing a production-ready big data solution.
- Pay-as-you-Grow Data Protection: IBM Tivoli's Full-featured Data Protection Suite for Small to Medium Businesses IBM Tivoli Storage Manager Suite for Unified Recovery gives small and medium businesses the opportunity to start out with only the individual solutions...
- Streamline Data Protection with IBM Tivoli Storage Manager Operations Center IBM Tivoli Storage Manager (TSM) has been an industry-standard data protection solution for two decades. But, where most competitors focus exclusively on Backup...
- Simplify and Consolidate Data Protection for Better Business Results Learn about IBM® Tivoli® Storage Manager Operations Center, which provides advanced visualization, built-in analytics and integrated workflow automation features that leapfrog traditional backup...
- Live Webcast Best Practices for the Hyperconverged Enterprise Network To the Age of Constant Connectivity and Information overload
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Webinar: Building a Big Data solution that's production-ready Big data solutions are no longer just a nice-to-have.
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well... All Topic Center White Papers | Webcasts