Skip to content
Naked Security Naked Security

RFID repeater used to steal Mercedes with keys locked inside a house

Relay attacks intercept a fob's signals, trick the car into unlocking, and can even be used to drive it away, without a key or a scratch.

Do you own a Mercedes or other fancy car that starts with a keyless fob – and which you’d rather not see thieves drive off in?

Do you own a refrigerator?

If you answered “yes” to both those questions, congratulations! You might not have to stand outside in your slippers, sobbing over a sadly empty parking spot! “Might” because, well, researchers aren’t entirely sure how much metal shielding you need to create a Faraday cage to block key fobs’ “unlock me/start me up!” radio signals.

Why does this matter? Because police in the UK posted a surveillance video on Sunday, showing thieves mysteriously opening and getting into a Mercedes in short order, without a key.

Actually, it’s not all that mysterious. The video depicts a so-called relay attack. It’s well-known. We’ve seen plenty of them over recent years in this, the age of the keyless fob and the relay boxes and signal boosters that steal their signals.

The most recent case is this one in the West Midlands, UK. In the CCTV footage above, two men pull up outside the victim’s house. They’re both carrying relay boxes. West Midlands Police note that the devices are capable of receiving signals through walls, doors and windows, but not metal.

One of the men stands near the victim’s property, waving the device until he gets a signal from a key fob inside the house or garage. The other thief stands near the car with his relay box, which receives the signal from the relay box near the property. The car sniffs the unlock-me signal that’s close by, and it obligingly unlocks the door.

Police think this is the first time such a theft has been captured on CCTV in the West Midlands.

The whole thing took about a minute. Police say that they haven’t yet recovered the Mercedes, which was stolen overnight on 24 September 2017 in the Elmdon area of Solihull, near Birmingham, UK.

A relay box works by extending the signal coming from the car keys inside the house and tricking the car’s system into believing that it’s the actual key. That’s why the car alarm in the Solihull case didn’t go off.

Here’s an example of it happening in Germany:

Here’s 2016 CCTV footage from Houston, Texas:

And here’s a video from the National Insurance Crime Bureau (NICB) featuring newscasters talking about relay attacks in California:

…and featuring NICB researchers who bought a relay attack unit to see how easy it is to steal a car with one.

TL;DR: It’s very easy.

As the NICB notes, it used to be the case that relay attacks would only unlock cars. But now you can not only get in; you can start that pretty little ride and take it for a spin.

The NICB tested a device on over 35 cars, mini vans, SUVs and a pickup truck over a two-week period last year. The relay attack unit – you can buy these things online – opened 19 out of the 35 cars tested. It started 18 of those 19 cars. With two-thirds of those cars, NICB researchers could not only start the cars and drive them away; they could also turn them off and restart them, as long as they had the device inside.

The attack devices vary in signal range and price, with powerful units fetching hundreds of dollars.

In addition, the Berlin-based automobile club ADAC in March 2016 released a study in which it reported that thieves could use a $225 signal booster – in the same ballpark as a relay box – to fool cars into thinking their owners are nearby, allowing them to easily unlock the cars and start them up: a silent theft that doesn’t leave a scratch.

Here’s an idea: try storing your keys in the refrigerator, or the microwave, or whatever other Faraday cage you’ve got kicking around. It would be nice to find out if such cages are strong enough to keep the thieves from driving off with your wheels: if somebody gets your car even with your keys tucked in beside the ice cream, let us know!


Dam, guess it’s time for 2FA for cars.


Here’s an idea: put a slot in the car door next to the handle into which you have to insert a metal authentication token cut into a unique shape, and then turn it to the left or right to prove your presence…


Duck, that’s an amazing idea! Next you’ll see them apply it to houses. I know we’re not supposed to solicit here, but please link to your kickstarter.


This is nothing new. We turn our keys off after locking up the cars. I don’t know if the Mercedes keys are able to be turned off, but when we car shopped, that one feature we look for.
You can’t relay what isn’t there.


Speak for yourself. Just last week I watched someone pull up to their bank, step out of their running car, beep it “locked” while it continued to run (presumably keyless), and walk into the bank. Nothing like a warm car to return to after conducting a 10 minute banking transaction…

I like Paul’s idea for some good old fashioned security.


“…if somebody gets your car even with your cars tucked in beside the ice cream, let us know!” Even in America, fridges aren’t large enough to accommodate both the ice cream and one or more cars ;-)


OOPS! We’ll get that fixed, thank you!


It’s fixed… although I’m not sure you’re right about those American fridges.


You get the rather peculiar irony of drive-through liquor stores in Australia. Drivers park amongst the fridges, if not exactly inside them, while buying their slabs of coldies and their cases of chilled Chardonnay. Does that count?


It’s ironic that you need to use a steering wheel lock on these cars with keyless go, when the idea of keyless go is that you are too lazy to find your key and push a button. Plus the lock won’t protect valuables.

The best solution is not to have keyless go. Doesn’t make theft impossible, but at least a lot harder. On some cars you can also deactivate the function. And when buying a new car, here’s a pro tip: Order it without and avoid cars that have it. Mine is loaded with a lot of extras, but keyless go was skipped.


And how are insurance companies responding to this “news”? Do owners have the ability to (securely!) disable this “feature”?

I sometimes wonder if RFID is really a net benefit to the world.


My Dodge vehicle has a way to disable the auto-unlock aspects, so that a button has to be pushed on the fob to unlock the doors.


seems you just have to put your key fob in an old crisp packet, works as a Faraday cage apparently !


You’re wrong there. That’s an urban myth – a new crisp/chip packet works just as well. Doesn’t have to be old:


I keep my keys in a metal keybox (with combination) – this acts as a Faraday cage – my phone cannot detect the Trackr I have on the keyring, so I know it provides at least some shielding. It also stops the opportune thief using the low tech method of opening the door (in case we leave it unlocked accidentally) and snatching the keys. Like everything else it is not 100%, but at least mitigates the risk. And I have some limited means of tracking the car – one of the advantages of the “connected car”.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!