The IMDEA Networks research group, together with academic and government partners, has published a new paper on a long-standing problem (e.g. 1, 2, 3, and 4) in vehicle security and privacy: TPMS wheel sensors still tend to broadcast tyre telemetry over the air in clear text and include identifiers that remain stable for long periods. The paper’s central claim is not that this is a new weakness, but that it is operationally exploitable at scale: with low-cost receivers deployed roadside over weeks, an attacker can collect enough RF traffic to associate sensors to vehicles and infer movement patterns and routines.
On the mitigation question, the uncomfortable but straightforward conclusion is that “securing TPMS communication at the ECU” is only meaningful for the wired hop inside the vehicle, not for the over-the-air link that causes the privacy and spoofing exposure in the first place. If the RF messages remain plaintext broadcasts, no amount of downstream ECU-side hardening will stop passive eavesdropping. A practical security approach, therefore, has to treat the wheel sensor-to-receiver RF link as the primary object to protect. That is exactly where the industry pain starts: securing TPMS is not “just add crypto”. Wheel sensors are among the most constrained devices in the car. They are built to be cheap, sealed, and ultra-low power, expected to survive years on a small battery with a tiny microcontroller and a strict transmit duty cycle. Every additional byte over the air costs energy; every extra millisecond of CPU time costs energy; every increase in code size, memory, or silicon capability increases BOM cost across millions of units. Add to that the operational constraint that tyres and sensors get replaced in the field. Any cryptographic scheme that is strong on paper but fragile in service workflows will either get bypassed by garages or produce customer-facing failures. The hard part is not the AES primitive; it is key provisioning, pairing, re-pairing after service, and doing all of that without turning TPMS into a support nightmare or burning down sensor battery life.
Now to the question the paper implicitly dares the reader to ask: how exploitable is this data in a way that causes real damage to a customer? The answer is “it depends”, and the dependency is not a footnote; it is the whole story. Raw TPMS captures are not automatically “person tracking”. They become dangerous when an attacker can bind a TPMS identifier set to a specific human, and when the attacker has enough RF coverage to observe that vehicle repeatedly across meaningful locations. The most plausible harms are classic privacy harms with a physical-world tail: routine inference enabling stalking, identifying when a vehicle leaves or returns, or correlating visits to sensitive locations. A more opportunistic crime angle is also possible: if a criminal can observe that a specific vehicle is away from a home area, that information can support targeted burglary or theft. But those scenarios require intent, persistence, and a capability to position receivers at the right places. For random criminals, there are often cheaper and simpler signals than TPMS, such as social media oversharing, visible number plates combined with camera infrastructure, or direct observation.
This is where a critical reading of the “mass-scale tracking” headline is warranted. Yes, the paper shows that building a passive collection pipeline is technically feasible and relatively inexpensive per receiver. That does not automatically mean it will become a widespread real-world threat actor technique. Large-scale tracking already exists through channels that are more reliable, more geographically complete, and easier to operationalise than opportunistic RF collection. For many adversaries, TPMS is an awkward telemetry source: range-limited, dependent on vehicle proximity, and non-trivial to turn into identity-linked intelligence without additional collection steps. The uncomfortable conclusion is therefore double-edged. On the one hand, TPMS remains a needless privacy beacon and there is no good engineering justification for continuing to broadcast stable identifiers in plaintext. On the other hand, the incremental real-life impact of “mass-scale TPMS tracking” may be narrower than the paper’s framing suggests, because the attackers who can truly do mass-scale surveillance already have better tools, and the attackers who want quick wins often have easier targets. The result is still valuable, but mainly as a warning sign about avoidable leakage and poor protocol hygiene—not necessarily as proof of an imminent new epidemic of TPMS-based tracking.
