IDG News Service reports that researchers from Rutgers University and University of South Carolina have found that radio frequency identification (RFID) systems that transmit data between new cars’ electronic control units and their tires can be forged or intercepted, which could identify the location of the car and driver. (RFID systems transmit data wirelessly from a chip or tag to a reader.) The report (pdf), “Security and Privacy Vulnerabilities of In-Car Wireless Networks: A Tire Pressure Monitoring System Case Study,” was released in February but will be presented at this week’s Usenix Security Symposium in Washington, D.C.
IDG interviews Wenyuan Xu, a computer science assistant professor at the University of South Carolina, who was a co-lead on the study.
The system that the researchers tested monitors the air pressure of each tire on an automobile. The U.S. has required such systems in new automobiles since 2008, thanks to legislation passed after controversy erupted over possible defective Firestone tires in 2000. The European Union will require new automobiles to have similar monitoring systems in place by 2012.
As computerized systems are being increasingly used in automobiles, critics such as Xu are asking what safeguards system makers are putting in place to prevent vulnerabilities in such systems, knowing that bugs and security holes invariably sneak into all software. […]
With such systems, “people just try to make things work first, and they don’t care about the security or privacy during the first run of design,” Xu said. […]
The researchers had found that each sensor has a unique 32-bit ID and that communication between the tag and the control unit was unencrypted, meaning it could be intercepted by third parties from as far away as 130 feet. “If the sensor IDs were captured at roadside tracking points and stored in databases, third parties could infer or prove that the driver has visited potentially sensitive locations such as medical clinics, political meetings, or nightclubs,” the researchers write, in a paper that accompanies the presentation. […]
Xu said that while it is possible to track someone by their tire IDs, the feasibility of doing so would be quite low. […]
Nonetheless, component manufacturers could take some easy steps to strengthen the security of these systems, the researchers conclude. Communications could be encrypted.