Passive TPMS Signal Auditor & Privacy Research Toolkit
For educational research into vehicle radio privacy vulnerabilities
Tire Pressure Monitoring Systems (TPMS) are mandatory in vehicles worldwide since 2007–2012.
Researchers from IMDEA Networks discovered that direct TPMS (dTPMS) sensors used by Toyota, Renault, Hyundai, Mercedes, and others broadcast:
- A static unique 24–32 bit sensor ID (never rotated)
- Tire pressure, temperature, battery status
- Unencrypted, in cleartext on 315 MHz / 433 MHz
- Every 30–120 seconds while driving, hourly while parked
Using a ~$100 RTL-SDR receiver, anyone within ~55 meters can silently log, correlate, and track specific vehicles — bypassing license plate readers and GPS entirely.
This toolkit is a research and awareness platform to:
- Detect and log TPMS signals in your area
- Visualize signal activity and fingerprint patterns
- Assess local privacy exposure
- Generate reports for policymakers / researchers
⚠️ Legal Notice: Passive radio reception is legal in most jurisdictions. Active interference, targeted surveillance, or stalking with this tool is illegal. This project is for authorized security research and personal privacy auditing only.
tpms-watchdog/
├── src/
│ ├── capture.py # RTL-SDR signal capture via rtl_433
│ ├── decoder.py # TPMS frame parser (ASK/FSK protocols)
│ ├── correlator.py # Jaccard-index vehicle fingerprinting
│ ├── storage.py # InfluxDB / SQLite backend
│ ├── alerter.py # Configurable alert rules
│ └── exporter.py # CSV / JSON / PDF report export
├── dashboard/
│ ├── app.py # Flask web dashboard
│ ├── templates/ # Jinja2 HTML templates
│ └── static/ # CSS/JS assets
├── config/
│ └── config.yaml # All settings in one place
├── scripts/
│ ├── install.sh # One-shot setup script
│ └── start_capture.sh # Launch capture pipeline
├── tests/
│ ├── test_decoder.py
│ ├── test_correlator.py
│ └── fixtures/ # Sample captured frames (anonymized)
├── docs/
│ ├── SETUP.md
│ ├── HARDWARE.md
│ └── THREAT_MODEL.md
├── docker-compose.yml
└── requirements.txt
| Component | Recommended | Cost |
|---|---|---|
| RTL-SDR Dongle | RTL-SDR Blog V4 | ~$35 |
| Antenna | 433 MHz whip or dipole | ~$10 |
| Host | Raspberry Pi 4 / any Linux PC | ~$55 |
| Total | ~$100 |
git clone https://github.com/YOUR_USERNAME/tpms-watchdog.git
cd tpms-watchdog
chmod +x scripts/install.sh && ./scripts/install.shcp config/config.yaml.example config/config.yaml
# Edit: frequency, storage backend, alert rulespython src/capture.py --freq 433.92M --gain 40python dashboard/app.py
# Open http://localhost:5000docker-compose up -dWraps rtl_433 subprocess and streams decoded JSON frames via MQTT or direct queue.
from src.capture import TPMSCapture
cap = TPMSCapture(frequency="433.92M", gain=40)
for frame in cap.stream():
print(frame) # {'id': '0xA3F2C1', 'pressure_kpa': 220, 'temp_c': 28, ...}Implements the Jaccard Index co-occurrence method from the IMDEA paper:
from src.correlator import VehicleCorrelator
vc = VehicleCorrelator(window_minutes=1)
vc.ingest(frames)
vehicles = vc.cluster() # Groups of sensor IDs belonging to same car# Alert when a known vehicle ID is seen
alerter.add_rule("known_vehicle", sensor_ids=["0xA3F2C1", "0xB1D4E9"])
# Alert on unusual pressure (flat tire or overload)
alerter.add_rule("pressure_anomaly", threshold_kpa=170)- Live signal map — SDR coverage radius overlay
- Sensor registry — All observed IDs with first/last seen timestamps
- Vehicle clusters — Inferred multi-sensor vehicle fingerprints
- Timeline heatmap — Activity patterns by hour/day
- Pressure trends — Per-sensor historical pressure graphs
- Privacy risk score — Estimated re-identification likelihood
This tool is designed to expose a vulnerability, not exploit it. Core principles:
- All captured IDs are hashed before storage by default
- No GPS coordinates stored (only relative signal strength)
- Built-in data retention limits (default: 7 days)
- Export redacts raw IDs in public-facing reports
See docs/THREAT_MODEL.md for full analysis.
| Project | Focus | Notes |
|---|---|---|
| rtl_433 | General 433 MHz decoder | Core dependency — TPMS support built in |
| tpms | TPMS reverse engineering | GNURadio-based, foundational research |
| gr-tpms | GNURadio TPMS blocks | Lower-level signal processing |
| dump1090 | ADS-B aircraft tracking | Same SDR-passive-tracking paradigm |
| OpenMhz | P25 radio monitoring | Inspiration for community signal sharing |
| TPMS Watchdog (this) | Privacy research & visualization | Adds correlation, dashboard, alerts |
- v0.1 — Core capture + decoder + SQLite storage
- v0.2 — Web dashboard (Flask)
- v0.3 — Jaccard correlator + vehicle clustering
- v0.4 — Docker / Raspberry Pi image
- v0.5 — MQTT multi-node sensor network
- v1.0 — PDF report generator for policy submissions
PRs welcome! Please read CONTRIBUTING.md first.
Key areas needing help: new manufacturer protocol decoders, UI improvements, mobile app.
MIT — see LICENSE. Use responsibly.
- IMDEA Networks Research Paper: "Can't Hide Your Stride: Inferring Car Movement from TPMS"
- UN Regulation 155 — Vehicle Cybersecurity
- EU Regulation 2019/2144 — Vehicle General Safety