Just read about this – in Feb 2026, researchers at IMDEA Networks Institute (in Spain) along with collaborators from European universities published a paper about using TPMS sensor data to track vehicles.
Modern vehicles (especially those manufactured since around 2008, when TPMS became mandatory in many regions like the US) use Tire Pressure Monitoring Systems (TPMS). These consist of small battery-powered sensors inside each tire that wirelessly transmit data—primarily tire pressure and temperature—to the car’s onboard computer. This triggers the dashboard warning light if pressure drops too low.
Many TPMS sensors broadcast this data in cleartext (unencrypted) using radio frequencies (typically around 315 MHz or 433 MHz, depending on the region/vehicle). Crucially, each sensor includes a unique identifier (ID)—a fixed code assigned to that specific sensor/vehicle combination. This ID doesn’t change even if tires are rotated or replaced (unless the system is reprogrammed), so it acts as a persistent “fingerprint” for the vehicle.
This post written with Grok AI search assistance.
How the Tracking Works
Anyone with basic, inexpensive radio equipment can passively listen for these broadcasts:
- No interaction with the vehicle is needed—the sensors transmit periodically (especially when the car is moving, as rotation triggers more frequent signals).
- The signals can be picked up from over 50 meters away (and sometimes through walls or other obstacles, since they’re low-frequency RF).
- By capturing the unique ID repeatedly at different locations or times, an observer can track a specific vehicle’s movements, build patterns (e.g., home-to-work routes), or identify it without ever seeing the license plate.
In their 10-week real-world study, the researchers deployed a small network of low-cost receivers near roads and parking areas. They collected over 6 million TPMS messages from more than 20,000 unique vehicles. They verified identities for a subset of 12 cars to confirm the tracking accuracy.
The Device Setup
The researchers highlighted how accessible this is:
- A basic receiver setup costs about $100 (or less in some configurations).
- It often involves off-the-shelf components like:
- A Software-Defined Radio (SDR) dongle (e.g., RTL-SDR).
- A Raspberry Pi or similar single-board computer for processing.
- Simple antennas and free/open-source software (like rtl_433 for decoding common TPMS protocols).
- Such a device can be hidden along roadsides, in parking lots, or near buildings to log passing vehicles covertly.
This isn’t about hacking into the car or stealing data like GPS logs—it’s passive eavesdropping on an unprotected broadcast that’s already happening for safety reasons.
- Privacy risk: It enables mass, low-effort surveillance of vehicle movements, potentially by stalkers, advertisers, law enforcement without warrants, or others.
- Unlike license plate readers (which are visible and regulated in many places), this is stealthier and harder to detect/avoid.
- The signals are automatic and don’t require the car to be “connected” (no internet or Bluetooth needed).
Mitigations
Many newer vehicles (especially post-2020 models) have started using more secure TPMS variants with rolling codes, encryption, or Bluetooth Low Energy instead of plain RF—but a huge portion of the global fleet (hundreds of millions of cars) still uses the vulnerable direct RF type.
Researchers emphasized that TPMS was designed purely for safety, not security, and called for:
- Encryption/authentication in future standards.
- Better regulations for vehicle sensor systems.
- Potential retrofits or awareness for owners (though practical fixes for older cars are limited—short of disabling TPMS, which isn’t safe or legal in many places).
