License Plate Readers Can Now Fingerprint Your Phone, Earbuds, and Tires

License-plate readers already log where your car goes. Now one of the biggest makers wants to log what's inside it — your phone, your earbuds, your smartwatch, even your tires.

Italian defense contractor Leonardo (through its ELSAG brand) has introduced SignalTrace, a "signal intelligence" add-on that bolts onto existing automatic license-plate-reader (ALPR) cameras. Instead of only reading plates, a SignalTrace-equipped site also sniffs the radio emissions of the electronic devices traveling past — and ties those device identifiers to the plate and the location, according to reporting from CarBuzz. For developers, the interesting and unsettling part isn't the marketing — it's how achievable this is with off-the-shelf RF techniques.

What SignalTrace claims to do

Per Leonardo's description, the system detects devices across several wireless technologies: Bluetooth (headphones, fitness bands, watches), RFID (key cards, pet microchips), in-vehicle radios (tire-pressure sensors, infotainment, mobile hotspots), and broader cellular/RF emissions from phones, tablets and laptops. It captures the unique identifiers those devices broadcast, correlates them with a vehicle's plate and GPS position, and stores the result in a central "Enterprise Operations Center" for later querying. Leonardo's US arm holds contracts with U.S. Special Operations Command and the General Services Administration.

None of this requires science fiction. Every signal it leans on is something your devices already shout into the air.

The tech behind it: your gadgets are constantly broadcasting

Passive RF fingerprinting works because radios announce themselves whether or not they're connected to anything:

• Bluetooth / BLE: Classic Bluetooth devices carry a 48-bit address (BD_ADDR), and BLE peripherals broadcast advertising packets several times per second so phones can find them. Many always-on accessories — wireless earbuds, trackers, smartwatches — advertise with stable or weakly-randomized identifiers, which is exactly what a roadside sensor wants.
• Wi-Fi: Phones emit probe requests looking for known networks. These contain a MAC address and, historically, the names of saved networks. Modern iOS and Android randomize the MAC in probes — but the randomization is inconsistent across devices, and the moment a device actually associates with a network it uses its real hardware MAC.
• TPMS (tire-pressure sensors): This is the quiet one. Each sensor transmits a unique 32-bit ID on 315/433 MHz, unencrypted, with no rotation. It's a persistent, per-vehicle hardware identifier that you can't turn off and most drivers don't know exists — a near-perfect tracking beacon.
• RFID/NFC: Access cards, transit cards, pet chips and some payment cards answer when energized, leaking IDs at close range.
• Cellular: Phones constantly transact with towers; specialized gear can detect a handset's presence and, with more effort, its identifiers.

Individually, each of these is a known weakness. Fused together, they become something much harder to dodge.

Advertisement

AirDroid Personal Best mobile device management suite — only $3.99/mo →

The real trick: "devices that travel together"

The clever — and invasive — move is correlation. A single randomized MAC is noise. But the set of devices that consistently appear with one vehicle is a stable signature: your phone, your watch, your earbuds, and your four TPMS sensors showing up together, again and again, at the same plate. That co-presence cluster becomes an electronic fingerprint for a person, not just a car.

It's robust precisely because it's redundant. Swap your SIM and your phone randomizes its MAC, but your earbuds and tire sensors still out you. Put on fresh plates, and the device cloud re-identifies the vehicle anyway. Defeating one signal doesn't defeat the fingerprint — that's the whole design.

What defends against it — and what doesn't

If you build mobile or IoT software, the limits here are worth understanding:

• MAC randomization (Wi-Fi and BLE scanning) genuinely helps and should be on — but it's uneven across vendors, doesn't cover connected sessions, and doesn't touch peripherals that advertise their own static IDs.
• BLE accessories are the soft underbelly: earbuds and trackers prioritize discoverability over privacy, and many never rotate their identifiers.
• TPMS has essentially no privacy mechanism. Short of aftermarket sensors or wrapping them, you can't change that ID — it's the most durable beacon on your vehicle.
• Airplane mode / Faraday pouches work, but nobody drives that way.

The uncomfortable takeaway: the only reliable defense is not emitting, and we've built a world that emits constantly.

Why developers should care

This is the surveillance stack made concrete. The same primitives we use for good — BLE beacons for proximity, Wi-Fi probes for fast reconnection, TPMS for safety — become a tracking grid when a vendor aggregates them at the roadside and sells queryable history to agencies. ALPR data has already been misused for stalking; adding device fingerprints raises the stakes from "where your car was" to "who, specifically, was in it."

For anyone shipping connected hardware or mobile apps, it's a reminder that identifier hygiene is a feature: rotate MACs and BLE addresses aggressively, minimize always-on advertising, and treat any stable identifier you broadcast as something that will, eventually, be collected. The radio doesn't care about your privacy policy — only about what it can hear.