Skip to content
Naked Security Naked Security

New ratings point to keyless cars that can stand up to relay attacks

Researchers rated six of the 11 newly launched cars as being easy to open up and drive off with a cheap relay device anyone can buy online.

Do you dislike the idea of standing in an empty driveway that should be occupied by your car, obediently waiting to unlock after you chirp-chirp your keyfob at it?

If so, you might want to take a gander at the security ratings for new cars put out by Thatcham Research, a nonprofit insurer research center in the UK.

Thatcham rated 11 cars that were launched so far in 2019 and plans to continue to assess new cars for security. It rated six of those 11 cars as being poor for security.

Specifically, it’s looking at those wireless keys: matchbox-sized fobs that have proven woefully susceptible to what’s known as relay attacks.

That’s when thieves use two relay devices that are capable of receiving, and extending, wireless signals from the car through walls, doors and windows, to reach the fob inside a car owner’s house. The relay devices are cheap to pick up online.

Standing next to the car, they just have to scan for signals transmitted by the wireless keys and then amplify them to open the cars, hop in and drive off.

Is your car a wireless sitting duck?

Thatcham got good results from the Audi E-tron, Jaguar XE, Range Rover Evoque and Mercedes-Benz B-Class: cars with wireless fobs that resist the attacks by either using more secure wireless technology or by going to sleep when they haven’t been used for a set time.

Thatcham Research chief technical officer Richard Billyeald told WhatCar? that Thatcham focused on relay attacks because they’re so good at blowing past whatever car manufacturers have done to boost security:

We’re focusing on keyless theft in particular because it gives thieves the ability to bypass 20 years of security improvements in a matter of seconds.

Precisely, that would be about 60 to 90 seconds, as we’ve seen in recent car thefts.

From zero to “poof!” in 60-90 seconds

CCTV footage of a relay attack captured in the UK in December 2017 shows one of the thieves standing near the victim’s property, waving a relay device until he gets a signal from a key fob inside the house or garage. The other thief stood near the car with his own relay box, which receives the signal from the relay box near the property. The car sniffs the unlock-me signal that’s close by, and it obligingly unlocks the door.

That one took about 60 seconds. This past November, the rip-off of a Volvo from a London couple took around 90 seconds, as we know from the CCTV footage captured after the poor people had a camera installed… which they did following the same exact thing happening to the same type of car a year before.

Not everybody’s a fan of the ratings

WhatCar? reports that the Society of Motor Manufacturers and Traders (SMMT) isn’t a big fan of Thatcham’s new ratings. It quoted CEO Mike Hawes, who seems to think that security via obscurity is a better approach:

It confuses rather than simplifies a very complex issue and will not help consumers, rather offering a signpost to thieves and increasing the risk of targeted criminal activity.

Hawes defended the auto industry’s work on this:

New cars are more secure than ever, and the latest technology has helped bring down theft dramatically with, on average, less than 0.3% of the cars on our roads stolen.

Criminals will always look for new ways to steal cars; it’s an ongoing battle and why manufacturers continue to invest billions in ever more sophisticated security features.

That’s good to hear. Still, if it were me staring at the empty driveway where I left my second new Volvo the night before, I’d be quite interested in hearing which car brands have come up with ways to thwart relay attacks.


Quite simply a foolish design to rely on proximity alone to unlock a device, such as a car. This design seems no different than using ‘only’ biometrics to secure data. Give more control to the owner, in this case, by at least requesting a button press, please.


Always requiring a keypress defeats the purpose of a feature most people do want. Most manufaturers already offer that by the way: In the manual there is usually a way to deactivate keyless in case your house or the bar you are in is not far enough from your car to keep it locked.
So why not just implement it right instead? Simply add an accelerometer, and if the fob is not moved for a minute, deactivate communication. Only if moved again reactivate it.
This should defeat the most common attack: Key placed near door at home at night. Might not help against someone in a bar holding a backpack with a repeater near you, but I’d say that is okay, since pre-scounting and targeted theft is still impossible.


Agreed re implement it right. But adding further technology to overcome the weaknesses or vulnerabilities implemented in the previous technology seems a little overkill or cat ‘n’ mouse. Keep it simple. And quite often, what most people want, isn’t always what’s right or most effective. But this is how we learn…


If you can’t turn off the fob, don’t buy the car. We own two Toyotas and the first thing we do after we park either car is lock it and turn off the fob.


Random thoughts to resolve existing car’s security.
Recycle; couple year old cell phone with motion detection and tracking software, wired to the car to keep it charged. (I’m planning to do this)
Maybe add 2fa to your cars ignition, by BT detection of your current phone or other device? Voice/command authentication once in to start it. Or at least the easy to reach yet hidden kill switch.


Amazon sell a tracking device, just add a SIM card. I have one, it’s small and works well.


Keeping your fobs in a faraday bag would prevent this as well. $20 seems like a small price to pay to ensure your car remains parked where you left it. Realistically, $0.10 worth of aluminum foil would do the trick as well.


Your link for “German General Automobile Club (ADAC) tested 237 keyless cars” goes to a news article that itself doesn’t link to the study.


I removed that reference. Thanks for letting us know.

(I found an ACAC summary article [auf Deutsch] but the link to the PDF on their own page didn’t work, so I still haven’t found [inadvertent U2 joke coming] what I’m looking for.)


I would have thought that a fairly simple defence against this sort of hack would be to add a motion sensor to the keyfob, and if there is no motion, then the key goes to sleep and does not respond to pings from the car. This would save the battery when the car’s owner is asleep and the key on their nightstand, and it would prevent thefts in the dead of night.

It would not be perfect, as more brazen thieves could launch their attacks during the day, when the owner is awake and moving about in their house, but it would be a cheap and simple step in the right direction, and would be helpful even with more complex technical solutions such as measuring round trip time.


This fails for the simple reason that the absence of motion doesn’t mean the car is meant to be off. It could be stuck in traffic, along with its owner. It could be on a performance test dynamometer.

The opposite holds true, too. The presence of motion doesn’t mean the fob should be on, as when the car operator is on a ferry or walking laps around the neighborhood, with keyring and fob in the pants pocket.

Motion sensors help kill smartwatch batteries in less than a week, even when just sitting on a shelf with radios off.


The problem the OP was trying to solve is that of the fob being tricked into unlocking the car while it is some distance away inside your house and you are asleep.

When the owner is inside the car and stuck in traffic, or has just driven his car into a dynamometer (something that the vast majority of owners do zero times in their lives), then the car is already unlocked and there is no problem to solve.

As for a motion sensor “killing batteries in a week”, then just turning the fob off automatically after N minutes of no motion (needing a button press to reawaken it) would solve that entirely.

Another solution would be some sort of 2FA as an anti-relay attack, thus giving proof of proximity. For example, for the fob to work you could require the user to insert a secure token into a slot on the car door at the same time. You could make the token out of metal for robustness, and you could require the user to rotate it 45 degrees and back to prevent false triggers. You could even cut the metal into cool-looking wavy shapes for artistic effect! It would be almost as good as having a key!


The basic problem is that keyless entry was never intended as a means to start or operate vehicles. The original purpose of keyless entry was only to make it easy for consumers to approach their vehicle and have the doors unlock, if hands were occupied with groceries or babies. Early cars were started by means of a starter button; the ignition key was invented to solve the problem of theft, as anyone, until then, could enter your vehicle and push a button to steal it. Combining the two technologies, a keyless entry fob and a starter button, is just stupidity. It’s a step backward. That’s the flaw keys (“metal tokens”) can fix, once again. Instead of fixing a broken, mispurposed technology with more technology, just bring back ignition keys.


Similar problem exists for aromatic Garage door openers..A simple solution would be to keep your key fob in a ef secure draw at night similar to the wallet guards for credit cards


That’s far too simple as a solution. Luckily my car is too old to use that button-free approach anyway so it’s all academic.


A fuel or ignition kill switch is the most simple way to immobilize a vehicle. It can be implemented with a remote start system, alarm system, or an inexpensive ($10) hidden switch in the vehicle (under the seat, in glove box, etc). While nothing is hacker-proof, this low-tech solution mitigates the flaws of keys and keyless fobs. Of course, this stops amateurs; professionals use tow trucks.


Here’s a solution. Simple mercury switch. The fob is always active unless it is placed on its back – which is moulded flat. Mercury switch means fob is inactive unless on its back purely for the unlock feature.


Any sort of motion sensor would do the trick. (It wouldn’t use mercury these days, of coure. It would be a MEMS – microelectromechanical system – device like the gyroscope and accelerometer in your phone or the temperature sensor in your Garmin.)


I’m sure the automakers have taken note and will make some design changes that make sense. Its unfortunate that our society puts up with the car thieves and criminals in the first place. If there’s no consequences
then nothing will change. To make things even worse the big liberal cities are now de-criminalizing theft. Absolute insanity! Lord help us.


Surely you would have to be a total idiot to buy a car with literally an open door to thieves in the first place. It beggars belief that customers are so stupid to spend tens of thousands on cars with such backward security installed. How about giving people the option of buying much safer cars which have “remote entry” where you have to actually press a button to unlock the doors and a key to turn on the ignition? People who are too lazy to do that deserve to have their cars go missing, it bumps up the insurance premuims for more intelligent people.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!