RFID repeater used to steal Mercedes with keys locked inside a house

Do you own a Mercedes or other fancy car that starts with a keyless fob – and which you’d rather not see thieves drive off in?

Do you own a refrigerator?

If you answered “yes” to both those questions, congratulations! You might not have to stand outside in your slippers, sobbing over a sadly empty parking spot! “Might” because, well, researchers aren’t entirely sure how much metal shielding you need to create a Faraday cage to block key fobs’ “unlock me/start me up!” radio signals.

Why does this matter? Because police in the UK posted a surveillance video on Sunday, showing thieves mysteriously opening and getting into a Mercedes in short order, without a key.

Actually, it’s not all that mysterious. The video depicts a so-called relay attack. It’s well-known. We’ve seen plenty of them over recent years in this, the age of the keyless fob and the relay boxes and signal boosters that steal their signals.

The most recent case is this one in the West Midlands, UK. In the CCTV footage above, two men pull up outside the victim’s house. They’re both carrying relay boxes. West Midlands Police note that the devices are capable of receiving signals through walls, doors and windows, but not metal.

One of the men stands near the victim’s property, waving the device until he gets a signal from a key fob inside the house or garage. The other thief stands near the car with his relay box, which receives the signal from the relay box near the property. The car sniffs the unlock-me signal that’s close by, and it obligingly unlocks the door.

Police think this is the first time such a theft has been captured on CCTV in the West Midlands.

The whole thing took about a minute. Police say that they haven’t yet recovered the Mercedes, which was stolen overnight on 24 September 2017 in the Elmdon area of Solihull, near Birmingham, UK.

A relay box works by extending the signal coming from the car keys inside the house and tricking the car’s system into believing that it’s the actual key. That’s why the car alarm in the Solihull case didn’t go off.

Here’s an example of it happening in Germany:

Here’s 2016 CCTV footage from Houston, Texas:

And here’s a video from the National Insurance Crime Bureau (NICB) featuring newscasters talking about relay attacks in California:

…and featuring NICB researchers who bought a relay attack unit to see how easy it is to steal a car with one.

TL;DR: It’s very easy.

As the NICB notes, it used to be the case that relay attacks would only unlock cars. But now you can not only get in; you can start that pretty little ride and take it for a spin.

The NICB tested a device on over 35 cars, mini vans, SUVs and a pickup truck over a two-week period last year. The relay attack unit – you can buy these things online – opened 19 out of the 35 cars tested. It started 18 of those 19 cars. With two-thirds of those cars, NICB researchers could not only start the cars and drive them away; they could also turn them off and restart them, as long as they had the device inside.

The attack devices vary in signal range and price, with powerful units fetching hundreds of dollars.

In addition, the Berlin-based automobile club ADAC in March 2016 released a study in which it reported that thieves could use a $225 signal booster – in the same ballpark as a relay box – to fool cars into thinking their owners are nearby, allowing them to easily unlock the cars and start them up: a silent theft that doesn’t leave a scratch.

Here’s an idea: try storing your keys in the refrigerator, or the microwave, or whatever other Faraday cage you’ve got kicking around. It would be nice to find out if such cages are strong enough to keep the thieves from driving off with your wheels: if somebody gets your car even with your keys tucked in beside the ice cream, let us know!