Since 2008, every new car sold in the US and Europe has been legally required to carry a Tire Pressure Monitoring System — small wireless sensors in each wheel that warn drivers when pressure drops dangerously low. It's a straightforward safety feature. It's also, according to new research, a covert tracking device that anyone with $100 worth of hardware can exploit.
Researchers at the IMDEA Networks Institute in Madrid built a network of cheap radio receivers near roads and parking areas and, over ten weeks, passively collected more than six million sensor signals from over 20,000 vehicles. No hacking required, no physical access to the cars. They just listened.
The reason this works is simple and damning: TPMS sensors broadcast a unique hardware ID in plain, unencrypted radio signals every few seconds while the car is moving. That ID never changes. It's burned into the sensor at the factory and stays there for the life of the tire — or longer, if sensors are reused. Anyone who captures that ID once can recognize the same vehicle the next time it passes any receiver in their network.
The researchers' paper, accepted at IEEE WONS 2026, is titled "Can't Hide Your Stride: Inferring Car Movement Patterns from Passive TPMS Measurements." The name says it all.
What makes this particularly troubling is the combination of cost and invisibility. License plate cameras are expensive infrastructure that people know exists. TPMS receivers are $100 boxes that look like nothing, can be placed anywhere, and leave no trace. A stalker, a private investigator, a corporation, or a state actor could build a city-wide vehicle tracking network for less than the price of a used phone.
There's no patch for this. The sensors in your wheels right now are almost certainly broadcasting a permanent, unique identifier. Current vehicle cybersecurity regulations do not address TPMS at all. Until they do, every drive you take is a data point someone could collect.
Source: EurekAlert — Your car's tire sensors could be used to track you · Carscoops · Cybersecurity News
← all posts