Hacking TMC - Unsuccessfully

Creation date: 07 May 2007

Many TMC Forum members and others will be aware of various postings and responses on the Internet to an article published by an organisation called Inverse Path. The two authors of this article, Andrea Barisani and  Daniele Bianco present how easy it is to “hack” in-car navigation systems using RDS-TMC.

Members have requested that the TMC Forum should respond to the publication and presentation of this article which was made to the CanSecWest security conference, in Vancouver, on the 18-20 April.

The first and overriding statement that should be made is that transmissions of this type are directly analogous to “pirate” radio broadcasts and certainly will, in the case of Europe and the U.S., contravene each countries respective broadcasting legislation and laws. (In the case of the U.K. this is the Wireless Telegraphy Act 2006) which makes it a criminal offence to establish and operate such broadcasts.

Whilst radio piracy exists one also questions the value and motives an individual would have to go to, specifically to set up an RDS-TMC broadcast just to “interfere” with navigation terminals. There would be no guarantee that any passing navigation system would either tune, decode and lastly respond to.

The very transitory nature of the real data in current services also makes any false messages very limited.

Whilst the Inverse Path authors make references to how easy it has been to construct a system to broadcast TMC and obtain the information to do so (considering RDS-TMC is an open Standard this is no surprise) there are a number of points which, if such a situation were to occur, would have either no or very limited effect.

From a hardware point of view establishing a system to broadcast RDS-TMC is relatively straightforward; all that is needed is an RDS Encoder and a low power transmitter and antenna. Information (data) can be presented to the encoder from a PC with the necessary software to construct an Alert C message via the UECP interface commonly used with encoders.

As an example, in order to have some chance of a terminal device responding to the false broadcasts one would either have to (a) transmit on the same frequency as the transmission carrying a legitimate service, (notwithstanding the fact that this would cause significant  interference to the legitimate broadcast), or (b) on a different (unused) frequency around the location.

In the case of (a) there is a chance that the false message could be decoded, but a degree of knowledge would have to be gained on parameters of the message being coded. Whilst in public services and some commercial services no encryption is used, the random use of any location code would result in a randomly located event which may be miles from the receiving terminal device location. In many cases geographical filtering is applied to the navigation system meaning the data would never be displayed. Also random choices of Event codes may not cause the terminal to react.

In the case of (b), i.e. if the transmission is on a different frequency, it is very unlikely that a terminal will even tune to the false service. This is because this frequency will not be either in the main AF list or the secondary AF list broadcast in any of the tuning variants of the TMC data. Also compared to any legitimate broadcast the field strength is likely to be very low overall and thus cover a very limited area, therefore any receiver terminal device passing the location of any false transmission is likely to remain tuned for a very brief period only.

Service Providers and Broadcasters, I am sure, have many protection mechanisms and processes in place to prevent any illegitimate access to their services within their infrastructure. The above only considers the “on-air” hacking that has been discussed in all of these postings, but to reiterate two points, firstly that of the overriding legal issue of pirate broadcasts and secondly the actual motivation and very limited value of undertaking such broadcasts.

Danny Woolard

Chairman - TMC Forum