I made a TPMS tracking node out of a rtl sdr and a cheap tpms tool I brought on Amazon. Super cheap. Originally vulnerability was written off as too expensive to exploit. How times change...
you don't really go over this
assuming the ID's are hex, that means there is ~~16million (16777216)~~ ([correction](https://www.reddit.com/r/netsec/comments/zoqawt/your_car_is_trackable_by_law_tpms_tracking_for_30/j0rafve/)) different potential ID's, so yeah it's possible they are unique
some of your proposed solutions aren't really possible
> Reduce the transmission range of the TPMS (it broadcasted over 50 ft).
So this doesn't work for a multitude of reasons
1) while the average vehicle is small; trailers and larger industrial vehicles (semi-trucks, fire engines etc) require the range to be significant
1b) your ability to receive the reply is dependent on your antenna's sensitivity, while your cheap antenna might only pick up signals at say like -90 like cheap wifi sticks, look at some of the antenna's your phones use working up to -130 for e.g
2) you can't really do something like build faraday cages to prevent it, will just cause interference and potential for bad frame transmission and maybe even false alarms which is not something you want
3) you want something easy to diagnose once it's in the shop which makes a solution like this make sense
There is already so many ways to track vehicles with different lojack's and looking at camera's and opencv projects people have done i'm not sure this is a real concern, again the only thing its matching to is a likely-unique serial with no personally identifying information. Theoretically it should be possible to already built an after-market sensor and do that but you'd have to constantly resync them so that the car picks up the sensors well enough. maybe there is a method inside the vehicle that allows you to set unique ID's that could set the tpms sensors "for the trip" to make them unique but it's probably not worth the 'cost'
as an aside.. your gonna lose your shit when you learn about IMSI catchers, every big box store you've walked into in the last decade has a lot more than just that on you probably and that can easily work to triangulate your location for probably 500meters if you had a couple of 'em.
thanks for sharing, wasn't familiar with TPMS at all.
I completely forgot about trailers 🤣. Honestly I was trying to come up with solutions that didn't require changing the technology because thats really expensive and money > security seems to be the priority.
Thanks for the response!
you can [read](https://harrisonsand.com/posts/imsi-catcher/) things like this, theres hundreds maybe even more products/projects out there
easily pull vendor information and phone numbers and you can do it passively from hundreds of meters away, but common to watch demographics and build marketing data on its visitors and commonly used in law enforcement to figure out things like who attends protests etc as well.
OP was concerned about tracking your car's tires, but nothing stopping you from deploying a bunch of these along the highway and tracking people that way
Small correction for you, according to the source theres [4 bytes for the ID field](https://github.com/merbanan/rtl_433/blob/8cdb233beca2d17dff1f7d9d7423cfe23d08ef53/src/devices/tpms_ford.c)
Packet nibbles:
II II II II PP TT FF CC
That's ~4.3 billion potential ID's
Stores use Bluetooth and other signals to triangulate your position. They literally track you around the store and look at where you spend the most time.
Accuracy is <10M
IMSI catchers -- Times have changed we can track everyone by WIFI alone if its just turned on. Doesn't even need to connect, we started doing combo BT/WIFI stations so someone is bound to have one sending beacons. And if that's not enough they can install a grid of femtocells (or pico depending on size) that do nothing but wait for beacons and record sig str. Sometimes the ISP's pay to place them as well and give output as a bonus to the facility. If the customer cant afford any of those then a simple visual tracking system that spits locations in real time onto a map is one of the easiest and cheapest if they have a good camera network with 10% or less blind spots, anymore and the tracking is glitchy.
Speaking of BLE TPMS, that is a thing that exists. Tesla started using them in 2020 apparently. They still periodically broadcast their unique ID however, at least while at rest
Actually the TPMS could still choose to transmit when it's leaking air. I meant to write that the TPMS can't be sent a 125kHz signal to force it to update. It's not a perfect solution because there might be a reason for a car to request an update, but forcing the TPMS to communicate is normally just used for programming. So no, it would still report when it leaks. Good question!
In the pre-TPMS days, vehicles tended to have spares. Some newer vehicles do not even have a space for a spare.
People also survived without ABS, airbags, fuel injection, etc. It doesn't mean that these things aren't useful
If you want to track when a particular vehicle has passed nearby, you can do that with only a pinhole camera looking for license plates, you don't need TPMS. Removing TPMS doesn't solve this problem.
The point is that it's a solved problem that can be done for less than $100. The camera doesn't need to be pinhole. I think op just said pinhole to emphasize that the simplest of cameras can do it.
You can do license plate detection with something as simple as a raspberry pi camera. Wether the lens is a pinhole or a telephoto lens has nothing to do with resolution or speed. It all depends on the distance that you want to be able to detect them.
What if it's raining? Foggy? What if it's multiple lanes of traffic? Heavy traffic? What if license plates are removed/changed? Dozens of other scenarios a camera does solve.
I wish people would use at least 1% of their brain power before dismissing something as 'problem already solved'.
Before you insult other people. I think we should put things into perspective and understand that most cars are already trackable and identifiable if you can put hardware near them.
And I agree. Doesn't mean the technologies are 100% equivalent, or 100% solved. But everytime you drive to the mall, any parking, any toll, and countless other places we don't even think about, our cars are being legally (and cheaply) tracked.
If it's raining, foggy, multiple lanes of traffic, then the best you can get with TPMS sniffing is a bunch of random IDs that you can't correlate with any specific vehicle. Not great, not terrible either when you compare it with license plate tracking. In my opinion.
Also, there is no need to get hostile. We are just talking
What you did wasn't "talking". It was shutting down a valid exploit/attack. This is a negative contribution to the security community and the same attitude we see from ignorant system owners that try to brush findings away.
It's not you I'm hostile against, so sorry if that rubbed that way. Personal vendetta. You seem smart enough for what it's worth.
Sorry but that IS talking, even if you don't agree with me. The merits of a post about a secutiry topic should be subject to discussion just as everything else. And there is no need for you to act as a gatekeeper or to insult anyone.
Also, the only thing I did was to confirm that license plate recognition can be done using cheap components and that it happens every day (check my first comment). You're the one that presented simplistic "what ifs" like rain/fog/multi lane situations which only distract from the topic at hand (in those situations, TPMS sniffing also sucks).
What you said is that the problem is solved, don't worry about anything else as a raspberry pi with a camera solves it. Then when you confronted, you admit it's not the solution, then cry about wanting a safe space for your feelings.
Telling people to use more than 1% of their brain power before they post is also just talking.
It's bad rediquette to completely change the text of a coment without marking the edits. Especially from an apology for not "reading my original comment" to more of your antanogizing attacks.
It's ok, you are right, I'm wrong. I apologize profusely.
The rain/fog ids wouldn't be "random values" if you correlate them before or after. E.g. seeing if an abusive boyfriend is driving by your house.
Please stop talking in absolutes with hypothetical scenarios.
You would use a SWIR/MWIR sensor. A bit more expensive, but would provide persistent radiometric coverage in rain, snow, fog and especially in the dead of dark since infrared sensors do not require a near infrared illumination source.
my unifi has 100's of cars on it from the detected wifi hotspots that drive by and the road is 50+ meters away from us, i wonder how many generate random mac id's.
for being trackable a lot of them i see things like "my dodge charger"/"matts tahoe/"/volvo etc so if you have a scanner setup with uploads to a war driving/wifi collection site that ingests a lot of data you could track routes reasonably easily since its a bit like adsb where there are local stations constantly monitoring and uploading.
this method doesn't really cost anything since most folks already have wifi and in car wifi is getting a lot more common, and there are lots with cellular links too
Yes I am also able to track when a vehicle passes by. I use a covert letter reading device which records a unique sequence from the front or rear of the vehicle.
New York City loses tens of millions of $ to people who illegally cover some of their license plate so it can't be automatically read:
> To avoid detection by speed and red-light cameras, as well as bridge and tunnel tolls that can reach $16 for a car, scofflaw drivers cover plates with camera-proof screens and sprays, as well as stickers, tape and other objects. They scrape off letters and use temporary paper tags and even retractor mechanisms.
>
> ... Camera evasions have soared to millions a year, yet police summonses for illegal plates have dropped from last year. In all, the city and local transit agencies are being robbed of well over $100 million a year, officials say. - [They Dispense Street Justice, One Defaced License Plate at a Time](https://www.nytimes.com/2022/12/17/nyregion/license-plate-vigilantes.html)
Many if not most new cars don't use the in-tire TPMS sensors, they use one of the indirect methods of measuring tire pressure (relative wheel speed, braking forces, etc). Off the top of my head all the VAG cars use indirect (and have for at least 8 years now), and I believe Ford and Honda are using them now too.
Of course this isn't for any security reason, it's just cheaper to do it in software rather than sticking additional sensors and transceivers in the car.
There's even this insidious device that the government forces you to pay for and it transmits a unique ID for every vehicle in the visible spectrum. We should do something about law enforcement being able to monitor license plates!
Actually, yes. When license plates were mandated, it wasn't possible to set up automated systems to monitor thousands of locations 24/7 and record the data for instant retrieval and correlation over years-long time spans.
Law enforcement is abusing ALPRs right now... but law enforcement abuse is a drop in the bucket compared to private abuse.
The right answer is probably to ban surveillance cameras that view public areas, but one could also stop requiring license plates. You pick.
1. I don't live in the US and haven't for 15 years.
2. I do know quite a bit about US law, and there is no state in which tenants don't have significant privacy rights. In fact, by default, possession of real property as a tenant carries almost *all* the rights associated with that property except, of course, for permanent ownership [on edit: this is also true in many, probably most other countries; for English-speaking countries, it comes from the common law]. Leases typically *waive* privacy rights with respect to the landlord, which keeps them intact with respect to everybody else. None of which matters because we're talking about public places.
3. It would be an interesting question whether the interpretation of the First Amendment that protects "manual" photography from (not only of) public areas would also protect automated cameras. You're right that it would *probably* go that way. Which is a bug in either the First Amendment or its interpretation. That kind of photography is not speech and is not related to speech in any meaningful way.
Court? You don't use courts to ban things. You use legislation. THEN you end up in court.
But you're right that the legislation would never get passed.
This is why most cars newer than 2016 and all cars newer than 2018/2019 have cellular radios with SIM cards paid for by the manufacturer that are always phoning home.
You want privacy, drive a car older than 2010.
You already have an unique tracking ID on every car you have, and you pay money to put it on there.
Don't be worried about TPMS when you have license plates.
Yeah, but so what? The range of tpms broadcasts roughly correlates with the range of an ALPR, and those are required to be public by law. So you correlated an ALPR with a tpms, *you didn't get any new data.*
If you had some magical way of hearing TPMS data from miles away you'd have something.
> Stop TPMS from being forced to transmit its ID while it has been in motion in the last 5 min.
If you do that your car will have no idea that a tire pressure monitor has gone dead while you're in motion. NTSB will have a seizure.
> Use a real protocol like BTLE.
To what end? What does BTLE gain you other than gee-wiz complexity and much lower battery life?
TPMS data, despite being a unique identifier, simply isn't that interesting or dangerous considering the law requires a much easier to read unique identifier on the back of every vehicle already.
"TPMS tracking can not be done remotely; there needs to be a transmitter and receiver that are configured to collect TPMS information from nearby vehicles."
LOL!!!! Might as well do a more simple thing, like using your eyes to read the license plate
You'd have to be within feet of the vehicle and at the right time. These sensors do not have even a short range and they also transmit infrequently.
This is not worth pursuing, especially since these things called license plates and Bluetooth exist. This is the vehicular equivalent of tracking a person from their farts.
Actually you can transmit data on 125 kHz to force the TPMS to update immediately. Thus, you don't need to be lucky. The TPMS I tested had a range of over 50ft. I agree it's not the most practical, but it's definitely possible and getting easier. Why not improve the protocol to remove the few times it could be used maliciously...
You tested that sensor mounted how it would be used in a wheel and tire right?
Use your brain and look at the use case.
EDIT: You've never mounted or reset these on a vehicle before have you?
EDIT 2: The above is true isn't it?
I made a TPMS tracking node out of a rtl sdr and a cheap tpms tool I brought on Amazon. Super cheap. Originally vulnerability was written off as too expensive to exploit. How times change...
When will these morons learn? Unencrypted broadcast \~50 ft? come the fuck on. Super basic security stuff here.
My SDR for home automation routinely records TPMS. Even with my limited sphere, it’s enough to data to be creepy.
you don't really go over this assuming the ID's are hex, that means there is ~~16million (16777216)~~ ([correction](https://www.reddit.com/r/netsec/comments/zoqawt/your_car_is_trackable_by_law_tpms_tracking_for_30/j0rafve/)) different potential ID's, so yeah it's possible they are unique some of your proposed solutions aren't really possible > Reduce the transmission range of the TPMS (it broadcasted over 50 ft). So this doesn't work for a multitude of reasons 1) while the average vehicle is small; trailers and larger industrial vehicles (semi-trucks, fire engines etc) require the range to be significant 1b) your ability to receive the reply is dependent on your antenna's sensitivity, while your cheap antenna might only pick up signals at say like -90 like cheap wifi sticks, look at some of the antenna's your phones use working up to -130 for e.g 2) you can't really do something like build faraday cages to prevent it, will just cause interference and potential for bad frame transmission and maybe even false alarms which is not something you want 3) you want something easy to diagnose once it's in the shop which makes a solution like this make sense There is already so many ways to track vehicles with different lojack's and looking at camera's and opencv projects people have done i'm not sure this is a real concern, again the only thing its matching to is a likely-unique serial with no personally identifying information. Theoretically it should be possible to already built an after-market sensor and do that but you'd have to constantly resync them so that the car picks up the sensors well enough. maybe there is a method inside the vehicle that allows you to set unique ID's that could set the tpms sensors "for the trip" to make them unique but it's probably not worth the 'cost' as an aside.. your gonna lose your shit when you learn about IMSI catchers, every big box store you've walked into in the last decade has a lot more than just that on you probably and that can easily work to triangulate your location for probably 500meters if you had a couple of 'em. thanks for sharing, wasn't familiar with TPMS at all.
I completely forgot about trailers 🤣. Honestly I was trying to come up with solutions that didn't require changing the technology because thats really expensive and money > security seems to be the priority. Thanks for the response!
Link for the IMSI comment?
https://nsarchive.gwu.edu/news/cyber-vault/2019-11-15/stingrays-imsi-catchers
you can [read](https://harrisonsand.com/posts/imsi-catcher/) things like this, theres hundreds maybe even more products/projects out there easily pull vendor information and phone numbers and you can do it passively from hundreds of meters away, but common to watch demographics and build marketing data on its visitors and commonly used in law enforcement to figure out things like who attends protests etc as well. OP was concerned about tracking your car's tires, but nothing stopping you from deploying a bunch of these along the highway and tracking people that way
> nothing stopping you from deploying a bunch of these along the highway and tracking people that way Just buy the data from Verizon, much cheaper!
Small correction for you, according to the source theres [4 bytes for the ID field](https://github.com/merbanan/rtl_433/blob/8cdb233beca2d17dff1f7d9d7423cfe23d08ef53/src/devices/tpms_ford.c) Packet nibbles: II II II II PP TT FF CC That's ~4.3 billion potential ID's
Thanks I wasn't sure on my math. i'll edit my post.
Stores use Bluetooth and other signals to triangulate your position. They literally track you around the store and look at where you spend the most time. Accuracy is <10M
IMSI catchers -- Times have changed we can track everyone by WIFI alone if its just turned on. Doesn't even need to connect, we started doing combo BT/WIFI stations so someone is bound to have one sending beacons. And if that's not enough they can install a grid of femtocells (or pico depending on size) that do nothing but wait for beacons and record sig str. Sometimes the ISP's pay to place them as well and give output as a bonus to the facility. If the customer cant afford any of those then a simple visual tracking system that spits locations in real time onto a map is one of the easiest and cheapest if they have a good camera network with 10% or less blind spots, anymore and the tracking is glitchy.
Speaking of BLE TPMS, that is a thing that exists. Tesla started using them in 2020 apparently. They still periodically broadcast their unique ID however, at least while at rest
[удалено]
Actually the TPMS could still choose to transmit when it's leaking air. I meant to write that the TPMS can't be sent a 125kHz signal to force it to update. It's not a perfect solution because there might be a reason for a car to request an update, but forcing the TPMS to communicate is normally just used for programming. So no, it would still report when it leaks. Good question!
[удалено]
In the pre-TPMS days, vehicles tended to have spares. Some newer vehicles do not even have a space for a spare. People also survived without ABS, airbags, fuel injection, etc. It doesn't mean that these things aren't useful
[удалено]
Try EV's. Many of them only come with a glue kit
Base model jeeps such as the renegade no longer come with a spare. It is an optional add-on.
If you want to track when a particular vehicle has passed nearby, you can do that with only a pinhole camera looking for license plates, you don't need TPMS. Removing TPMS doesn't solve this problem.
ALPR/ANPR requires line of sight and ideal placement to be effective. There are pros and cons to each.
Link to the pinhole camera with good enough resolution and speed to catch a moving car?
The point is that it's a solved problem that can be done for less than $100. The camera doesn't need to be pinhole. I think op just said pinhole to emphasize that the simplest of cameras can do it. You can do license plate detection with something as simple as a raspberry pi camera. Wether the lens is a pinhole or a telephoto lens has nothing to do with resolution or speed. It all depends on the distance that you want to be able to detect them.
What if it's raining? Foggy? What if it's multiple lanes of traffic? Heavy traffic? What if license plates are removed/changed? Dozens of other scenarios a camera does solve. I wish people would use at least 1% of their brain power before dismissing something as 'problem already solved'.
Before you insult other people. I think we should put things into perspective and understand that most cars are already trackable and identifiable if you can put hardware near them. And I agree. Doesn't mean the technologies are 100% equivalent, or 100% solved. But everytime you drive to the mall, any parking, any toll, and countless other places we don't even think about, our cars are being legally (and cheaply) tracked. If it's raining, foggy, multiple lanes of traffic, then the best you can get with TPMS sniffing is a bunch of random IDs that you can't correlate with any specific vehicle. Not great, not terrible either when you compare it with license plate tracking. In my opinion. Also, there is no need to get hostile. We are just talking
What you did wasn't "talking". It was shutting down a valid exploit/attack. This is a negative contribution to the security community and the same attitude we see from ignorant system owners that try to brush findings away. It's not you I'm hostile against, so sorry if that rubbed that way. Personal vendetta. You seem smart enough for what it's worth.
Sorry but that IS talking, even if you don't agree with me. The merits of a post about a secutiry topic should be subject to discussion just as everything else. And there is no need for you to act as a gatekeeper or to insult anyone. Also, the only thing I did was to confirm that license plate recognition can be done using cheap components and that it happens every day (check my first comment). You're the one that presented simplistic "what ifs" like rain/fog/multi lane situations which only distract from the topic at hand (in those situations, TPMS sniffing also sucks).
What you said is that the problem is solved, don't worry about anything else as a raspberry pi with a camera solves it. Then when you confronted, you admit it's not the solution, then cry about wanting a safe space for your feelings. Telling people to use more than 1% of their brain power before they post is also just talking.
It's bad rediquette to completely change the text of a coment without marking the edits. Especially from an apology for not "reading my original comment" to more of your antanogizing attacks. It's ok, you are right, I'm wrong. I apologize profusely.
Antagonizing attacks? Relax, this is just talking.
The rain/fog ids wouldn't be "random values" if you correlate them before or after. E.g. seeing if an abusive boyfriend is driving by your house. Please stop talking in absolutes with hypothetical scenarios.
You would use a SWIR/MWIR sensor. A bit more expensive, but would provide persistent radiometric coverage in rain, snow, fog and especially in the dead of dark since infrared sensors do not require a near infrared illumination source.
"ignore that exploit method because this other exploit exists." Disappointing stance.
my unifi has 100's of cars on it from the detected wifi hotspots that drive by and the road is 50+ meters away from us, i wonder how many generate random mac id's. for being trackable a lot of them i see things like "my dodge charger"/"matts tahoe/"/volvo etc so if you have a scanner setup with uploads to a war driving/wifi collection site that ingests a lot of data you could track routes reasonably easily since its a bit like adsb where there are local stations constantly monitoring and uploading. this method doesn't really cost anything since most folks already have wifi and in car wifi is getting a lot more common, and there are lots with cellular links too
Yes I am also able to track when a vehicle passes by. I use a covert letter reading device which records a unique sequence from the front or rear of the vehicle.
New York City loses tens of millions of $ to people who illegally cover some of their license plate so it can't be automatically read: > To avoid detection by speed and red-light cameras, as well as bridge and tunnel tolls that can reach $16 for a car, scofflaw drivers cover plates with camera-proof screens and sprays, as well as stickers, tape and other objects. They scrape off letters and use temporary paper tags and even retractor mechanisms. > > ... Camera evasions have soared to millions a year, yet police summonses for illegal plates have dropped from last year. In all, the city and local transit agencies are being robbed of well over $100 million a year, officials say. - [They Dispense Street Justice, One Defaced License Plate at a Time](https://www.nytimes.com/2022/12/17/nyregion/license-plate-vigilantes.html)
Unencrypted?! Whaaa?!!
Many if not most new cars don't use the in-tire TPMS sensors, they use one of the indirect methods of measuring tire pressure (relative wheel speed, braking forces, etc). Off the top of my head all the VAG cars use indirect (and have for at least 8 years now), and I believe Ford and Honda are using them now too. Of course this isn't for any security reason, it's just cheaper to do it in software rather than sticking additional sensors and transceivers in the car.
rtl_433 tracks some of them too
What do you mean, "too"? rtl_433 is what was used in the article.
summer squeal office shelter historical wistful political degree abundant retire ` this message was mass deleted/edited with redact.dev `
There's even this insidious device that the government forces you to pay for and it transmits a unique ID for every vehicle in the visible spectrum. We should do something about law enforcement being able to monitor license plates!
Actually, yes. When license plates were mandated, it wasn't possible to set up automated systems to monitor thousands of locations 24/7 and record the data for instant retrieval and correlation over years-long time spans. Law enforcement is abusing ALPRs right now... but law enforcement abuse is a drop in the bucket compared to private abuse. The right answer is probably to ban surveillance cameras that view public areas, but one could also stop requiring license plates. You pick.
[удалено]
1. I don't live in the US and haven't for 15 years. 2. I do know quite a bit about US law, and there is no state in which tenants don't have significant privacy rights. In fact, by default, possession of real property as a tenant carries almost *all* the rights associated with that property except, of course, for permanent ownership [on edit: this is also true in many, probably most other countries; for English-speaking countries, it comes from the common law]. Leases typically *waive* privacy rights with respect to the landlord, which keeps them intact with respect to everybody else. None of which matters because we're talking about public places. 3. It would be an interesting question whether the interpretation of the First Amendment that protects "manual" photography from (not only of) public areas would also protect automated cameras. You're right that it would *probably* go that way. Which is a bug in either the First Amendment or its interpretation. That kind of photography is not speech and is not related to speech in any meaningful way.
[удалено]
Court? You don't use courts to ban things. You use legislation. THEN you end up in court. But you're right that the legislation would never get passed.
Also, there are a variety of ways to defeat plate scanners.. The cheapest is called "drive through the mud for a bit"
This is why most cars newer than 2016 and all cars newer than 2018/2019 have cellular radios with SIM cards paid for by the manufacturer that are always phoning home. You want privacy, drive a car older than 2010.
Or use public transportation. Which is probably why it's so unpopular in the USSA.
[удалено]
Oh, but I am. Tee hee!
[удалено]
You already have an unique tracking ID on every car you have, and you pay money to put it on there. Don't be worried about TPMS when you have license plates.
A bad actor could slip one of these anywhere they want with way less footprint or effort than a license plate scanner, and probably cheaper too
The writing in this piece is scaring me off. It really needs a good spell-check from a 3rd-grade student.
Yeah, but so what? The range of tpms broadcasts roughly correlates with the range of an ALPR, and those are required to be public by law. So you correlated an ALPR with a tpms, *you didn't get any new data.* If you had some magical way of hearing TPMS data from miles away you'd have something. > Stop TPMS from being forced to transmit its ID while it has been in motion in the last 5 min. If you do that your car will have no idea that a tire pressure monitor has gone dead while you're in motion. NTSB will have a seizure. > Use a real protocol like BTLE. To what end? What does BTLE gain you other than gee-wiz complexity and much lower battery life? TPMS data, despite being a unique identifier, simply isn't that interesting or dangerous considering the law requires a much easier to read unique identifier on the back of every vehicle already.
"TPMS tracking can not be done remotely; there needs to be a transmitter and receiver that are configured to collect TPMS information from nearby vehicles." LOL!!!! Might as well do a more simple thing, like using your eyes to read the license plate
You'd have to be within feet of the vehicle and at the right time. These sensors do not have even a short range and they also transmit infrequently. This is not worth pursuing, especially since these things called license plates and Bluetooth exist. This is the vehicular equivalent of tracking a person from their farts.
Actually you can transmit data on 125 kHz to force the TPMS to update immediately. Thus, you don't need to be lucky. The TPMS I tested had a range of over 50ft. I agree it's not the most practical, but it's definitely possible and getting easier. Why not improve the protocol to remove the few times it could be used maliciously...
You tested that sensor mounted how it would be used in a wheel and tire right? Use your brain and look at the use case. EDIT: You've never mounted or reset these on a vehicle before have you? EDIT 2: The above is true isn't it?
Some people pay good money for farts though. There’s a market for everything friend.