Existing Research · Chapter 22

Other Wireless Attack Surfaces

Tire pressure sensors and in-car DAB radios share a property that makes them attractive attack surfaces: both accept untrusted RF input from the environment and feed parsed data into ECUs or head units with no authentication. Research on each has produced practical, wireless, drive-by attacks well before any defensive countermeasures were in place.

Tire Pressure Monitoring Systems (TPMS)

Security and Privacy Vulnerabilities of In-Car Wireless Networks: A TPMS Case Study

Rouf, Miller, Mustafa, Taylor, Oh, Xu, Gruteser, Trappe, Seskar, USENIX Security 2010 [1]

One of the first papers to demonstrate a practical wireless attack against a federally mandated, already-deployed automotive system. NHTSA had required TPMS fitment on all US vehicles sold after 2008, so the vulnerable surface was already at scale when the research appeared.

The team selected two representative sensors (TPS-A and TPS-B) covering high US market share. Both broadcast Manchester-encoded frames in the 315/433 MHz ISM band. Using a USRP with a TVRX daughterboard, GNU Radio, and a commodity ATEQ VT55 trigger tool, they captured I/Q recordings, varied temperature and pressure in a controlled setting, and correlated the resulting bit patterns with sensor IDs printed on each unit. The recovered packet layout included a 28 or 32-bit sensor ID, pressure, temperature, flag bits, and a CRC; neither sensor used encryption or a message authentication code.

Two consequences follow. First, static sensor IDs enable passive vehicle tracking: a roadside receiver with a low-noise amplifier can read sensor broadcasts at up to 40 meters, with no line of sight required. Second, the ECU accepts any packet with a matching sensor ID, so spoofed frames trigger real warnings. The team drove a second vehicle alongside the target on Interstate I-26 and triggered both the low-pressure and general-warning lights on the dashboard. One extended spoofing run permanently corrupted the target TPMS ECU, requiring dealer replacement.

The authors proposed ID re-randomisation on tire changes; that recommendation remains largely unimplemented in production. The Synacktiv 2024 entry below shows what TPMS spoofing can become when combined with a vulnerable parser stack in a downstream ECU.

Dashboard snapshots during the spoofing demonstration: left front tire shown at 0 PSI with the low-pressure warning illuminated (a), and the general warning light triggered approximately two seconds later (b). Figure from Rouf et al., 2010 (Security and Privacy Vulnerabilities of In-Car Wireless Networks).Dashboard snapshots during the spoofing demonstration: left front tire shown at 0 PSI with the low-pressure warning illuminated (a), and the general warning light triggered approximately two seconds later (b). Figure from Rouf et al., 2010 (Security and Privacy Vulnerabilities of In-Car Wireless Networks).

0-Click RCE on Tesla Model 3 Through TPMS Sensors

Berard, Imbert, Dehors (Synacktiv), Hexacon 2024 [3]

This Pwn2Own Vancouver 2024 entry uses forged BLE TPMS advertisements processed by the Tesla VCSEC ECU (PowerPC SPC56, FreeRTOS, VLE mode) as its entry point; the primary impact is arbitrary CAN write on the vehicle bus.

VCSEC supports a sensor enrollment flow that activates when the car has been moving for 90 seconds at over 25 km/h and a previously enrolled sensor is absent. An integer overflow in the X.509 certificate reassembly function provides the bug: startIndex is a uint32_t, and the bound check (startIndex + data_size) <= 512 overflows when startIndex is near UINT32_MAX, writing out of bounds into global memory before the 512-byte certificate buffer. A struct pointer containing a function pointer sits immediately before that buffer; overwriting it and triggering certificate validation redirects execution to shellcode, with no ASLR, CFI, or stack canaries on this target. Two ESP32 modules implement the attack: one races VCSEC to the real sensor to prevent enrollment, the second simulates a sensor that VCSEC then adopts and delivers the malformed certificate.

BLE attack chain for the TPMS exploit: the Racer ESP32 blocks VCSEC from enrolling the real sensor, forcing VCSEC into auto-learn mode where it connects to the Simulator ESP32 and triggers the certificate reassembly overflow. Figure from Berard, Imbert, Dehors, 2024 (TPMS Hexacon 2024).BLE attack chain for the TPMS exploit: the Racer ESP32 blocks VCSEC from enrolling the real sensor, forcing VCSEC into auto-learn mode where it connects to the Simulator ESP32 and triggers the certificate reassembly overflow. Figure from Berard, Imbert, Dehors, 2024 (TPMS Hexacon 2024).

Digital Audio Broadcasting (DAB)

Broadcasting Your Attack: Security Testing DAB Radio in Cars

Andy Davis (NCC Group), TROOPERS 2015 / Black Hat USA 2015 [2]

Factory-fitted DAB radios are standard on most new vehicles, and the head unit processing broadcast data typically connects to the CAN bus. Because DAB is a broadcast medium, a single attacker transmission reaches every receiver in range simultaneously.

DAB carries multiple data layers above the audio, each a distinct parsing surface. The Fast Information Channel (FIC) delivers ensemble and service metadata as Fast Information Groups (FIGs). The Multimedia Object Transfer (MOT) protocol carries JPEG and PNG slideshow images rendered on the head unit display. Programme Associated Data (PAD) carries Dynamic Label Segment (DLS) text displayed as station or track information. FIG 0/6 service linking records and FIG 0/22 transmitter databases are fetched over the air and stored locally, with fixed-size allocation in some implementations.

Davis built a custom DAB transmitter from OpenDigitalRadio components and a USRP B200, then extended it into a fuzzer covering every protocol layer without touching the radio modulation. Testing against in-vehicle head units from multiple manufacturers produced code execution via a malformed JPEG or PNG through MOT, format-string conditions in DLS and ensemble label fields, SQL injection candidates where ensemble metadata is stored in a local database, and buffer overflow candidates in FIG database parsers. In some architectures, D-Bus interfaces on the head unit were bound to all network interfaces and exposed CAN access, enabling ADAS feature manipulation after gaining code execution.

A single low-power transmitter on an unused DAB frequency can reach every compatible receiver driving through the coverage area, with no per-vehicle targeting required.

DAB attack surface diagram listing the protocol layers and media types that form the receiver's parsing exposure: FIG data within the ETI stream, MOT, DLS labels, and media formats including images and video. Figure from Andy Davis (NCC Group), 2015 (Broadcasting Your Attack).DAB attack surface diagram listing the protocol layers and media types that form the receiver's parsing exposure: FIG data within the ETI stream, MOT, DLS labels, and media formats including images and video. Figure from Andy Davis (NCC Group), 2015 (Broadcasting Your Attack).

References

[1]Rouf, Miller, Mustafa, Taylor, Oh, Xu, Gruteser, Trappe, Seskar. Security and Privacy Vulnerabilities of In-Car Wireless Networks: A Tire Pressure Monitoring System Case Study. USENIX Security Symposium 2010, 2010.
[2]Andy Davis (NCC Group). Broadcasting Your Attack: Security Testing DAB Radio in Cars. TROOPERS 2015 / Black Hat USA 2015, 2015.
[3]Berard, Imbert, Dehors. 0-Click RCE on Tesla Model 3 Through TPMS Sensors. Hexacon 2024 / Pwn2Own Vancouver 2024, 2024.