Your car is broadcasting a tracking signal that stalkers, burglars, and data brokers can intercept from 50 meters away using $100 radio receivers. You didn’t know. Your manufacturer didn’t secure it. And it’s perfectly legal. Researchers at IMDEA Networks Institute tracked over 20,000 vehicles in a study presented THIS WEEK at IEEE WONS 2026 by collecting 6 million+ messages from Tire Pressure Monitoring Systems (TPMS)—safety sensors mandated in all US cars since 2007 and EU cars since 2014. The findings reveal an invisible surveillance infrastructure: unencrypted tire sensors transmitting permanent IDs that pass through walls, making vehicle tracking cheaper and stealthier than license plate cameras.
The Technical Reality: Unencrypted Broadcasts Enable Invisible Surveillance
TPMS sensors broadcast unique 32-bit IDs in cleartext every 30-90 seconds, with signals detectable from 50+ meters that penetrate walls and vehicles—unlike license plate cameras requiring line-of-sight. The IMDEA study deployed five low-cost Software-Defined Radio (SDR) receivers and captured 6 million+ messages from over 20,000 vehicles in 10 weeks. Equipment cost: $100 for an RTL-SDR dongle, Raspberry Pi, and free software like rtl_433.
“This makes TPMS-based tracking cheaper, harder to detect, and more difficult to avoid than camera-based surveillance, and therefore a stronger privacy threat,” the researchers note. Moreover, TPMS signals pass through obstacles, cost 50x less per node than license plate readers, and operate completely passively—targets cannot detect they’re being tracked.
Real-World Threats: From Stalking to Surveillance Capitalism
The vulnerability enables documented threat scenarios. Domestic abuse tracking via vehicles is already widespread, and TPMS adds a vector requiring zero victim interaction. “Burglars in suburban residential areas could infer the schedule and pattern of a particular household and take advantage of their absence by tracking the vehicles,” the research warns.
The $200 billion+ data broker industry already buys and sells location data. Furthermore, TPMS tracking requires no app permissions, no data breaches, no consent—just passive receivers near roads or parking garages. A company could build city-wide tracking for under $50,000 and sell movement patterns to insurance companies, marketers, or anyone paying.
The Regulatory Black Hole: 17 Years of Mandatory Sensors, Zero Security
TPMS has been mandatory in US vehicles since September 2007 and EU vehicles since November 2014. Yet despite 17 years affecting 500 million+ vehicles globally, NO cybersecurity regulations address TPMS encryption or privacy. Current standards like ISO/SAE 21434 and UNECE WP.29 R155 don’t explicitly cover TPMS.
“Despite these risks, current vehicle cybersecurity regulations do not yet specifically address TPMS security,” researchers emphasize. This is systems failure: governments mandated safety without security requirements, manufacturers deployed IoT at massive scale with no encryption. The cost difference is minimal, but zero regulatory pressure meant zero action for 17 years.
No Escape: Why Drivers Have Zero Countermeasures
Can’t disable TPMS—triggers warnings and inspection failures. Can’t change IDs—hardware-coded and permanent. Can’t encrypt signals—firmware is fixed. Can’t detect tracking—passive surveillance leaves no trace. Consequently, the only “solution” is replacing sensors every few months at $200-400, manually rotating IDs. Impractical.
Unlike phone tracking where you can enable airplane mode, TPMS is always-on while driving. Privacy used to offer choices. However, TPMS removes ALL choice—you’re forced by law to broadcast a tracking signal.
The Bigger IoT Security Pattern: Obscurity Always Fails
TPMS exemplifies IoT security failure. “Security by obscurity” worked when Software-Defined Radios cost $1,000+ and required expertise. Now SDRs cost $100 and open-source software makes exploitation trivial.
In 2010, Rutgers researchers identified TPMS privacy risks. In 2016, security expert Bruce Schneier covered hacking demonstrations. In 2026, IMDEA showed practical large-scale tracking. Every “obscure” protocol gets cracked when tools democratize. Same pattern: Bluetooth LE tracking, WiFi MAC failures, RFID skimming.
Developer Takeaway: Demand Security-by-Design, Not Retrofit Fixes
Physical privacy is dying from cumulative failures in mundane safety features. TPMS shows what happens when regulators mandate features without security and manufacturers optimize for cost over privacy. Existing vehicles won’t be retrofitted. Fixes will take 10+ years. Legacy unencrypted TPMS will remain until the 2040s.
As developers, we must REFUSE to build unencrypted IoT. Demand encryption-by-default in every sensor, protocol, and standard. Push regulators to mandate security alongside safety. If you wouldn’t build a web API broadcasting user IDs in cleartext, don’t accept it in cars, homes, or wearables.
TPMS proves “we’ll add security later” means “we’ll add security never.” Privacy doesn’t die from one breach—it dies from a thousand careless deployments of unencrypted sensors, each considered “too small to matter” until they combine into invisible surveillance infrastructure affecting millions.
Key Takeaways
- TPMS sensors in 500M+ vehicles broadcast unencrypted tracking IDs detectable from 50+ meters
- $100 in equipment (SDR receiver + software) enables passive vehicle surveillance that penetrates walls
- Zero regulations address TPMS security despite 17 years of mandatory deployment since 2007
- No countermeasures exist—drivers cannot disable, encrypt, or detect TPMS tracking
- Developers must refuse to build unencrypted IoT and demand security-by-design regulations
