What device are thieves using to open cars?

There’s a new form of keyless car theft that works in under 2 minutes

As car owners grow hip to one form of theft, crooks are turning to new ones.

Dan Goodin — Apr 7, 2023 9:24 pm UTC

reader comments

When a London man discovered the front left-side bumper of his Toyota RAV4 torn off and the headlight partially dismantled not once but twice in three months last year, he suspected the acts were senseless vandalism. When the vehicle went missing a few days after the second incident, and a neighbor found their Toyota Land Cruiser gone shortly afterward, he discovered they were part of a new and sophisticated technique for performing keyless thefts.

It just so happened that the owner, Ian Tabor, is a cybersecurity researcher specializing in automobiles. While investigating how his RAV4 was taken, he stumbled on a new technique called CAN injection attacks.

The case of the malfunctioning CAN

Tabor began by poring over the “MyT” telematics system that Toyota uses to track vehicle anomalies known as DTCs (Diagnostic Trouble Codes). It turned out his vehicle had recorded many DTCs around the time of the theft.

The error codes showed that communication had been lost between the RAV4’s CAN—short for Controller Area Network—and the headlight’s Electronic Control Unit. These ECUs, as they’re abbreviated, are found in virtually all modern vehicles and are used to control a myriad of functions, including wipers, brakes, individual lights, and the engine. Besides controlling the components, ECUs send status messages over the CAN to keep other ECUs apprised of current conditions.

This diagram maps out the CAN topology for the RAV4:

The DTCs showing that the RAV4’s left headlight lost contact with the CAN wasn’t particularly surprising, considering that the crooks had torn off the cables that connected it. More telling was the failure at the same time of many other ECUs, including those for the front cameras and the hybrid engine control. Taken together, these failures suggested not that the ECUs had failed but rather that the CAN bus had malfunctioned. That sent Tabor searching for an explanation.

The researcher and theft victim next turned to crime forums on the dark web and YouTube videos discussing how to steal cars. He eventually found ads for what were labeled “emergency start” devices. Ostensibly, these devices were designed for use by owners or locksmiths to use when no key is available, but nothing was preventing their use by anyone else, including thieves. Tabor bought a device advertised for starting various vehicles from Lexus and Toyota, including the RAV4. He then proceeded to reverse engineer it and, with help from friend and fellow automotive security expert Ken Tindell, figure out how it worked on the CAN of the RAV4.

Inside this JBL speaker lies a new form of attack

Further Reading

The research uncovered a form of keyless vehicle theft neither researcher had seen before. In the past, thieves found success using what’s known as a relay attack. These hacks amplify the signal between the car and the keyless entry fob used to unlock and start it. Keyless fobs typically only communicate over distances of a few feet. By placing a simple handheld radio device near the vehicle, thieves amplify the normally faint message that cars send. With enough amplification, the messages reach the nearby home or office where the key fob is located. When the fob responds with the cryptographic message that unlocks and starts the vehicle, the crook’s repeater relays it to the car. With that, the crook drives off.

“Now that people know how a relay attack works… car owners keep their keys in a metal box (blocking the radio message from the car) and some car makers now supply keys that go to sleep if motionless for a few minutes (and so won’t receive the radio message from the car),” Tindell wrote in a recent post. “Faced with this defeat but being unwilling to give up a lucrative activity, thieves moved to a new way around the security: bypassing the entire smart key system. They do this with a new attack: CAN Injection.”

reader comments

Dan Goodin Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene.

What is relay car theft and how can you stop it?

Relay car theft, or ‘relay attack’ is when criminals use the keyless entry system of a car against itself by tricking the car into thinking the wireless remote is next to it. It works on cars where you can enter and start the car without using a key. More and more cars use these wireless systems because it removes the bulky lock barrel from the steering column that is a risk for knee injuries in a crash. It’s also more convenient for drivers.

The start/stop button on this Toyota Land Cruiser means it is at risk of a relay attack

How does a relay attack work?

You need three things:

1. Your wireless key within transmitting distance of the car (sometimes up to 100m!)
2. A person standing near the key with a device that tricks the key into broadcasting its signal
3. A person standing near the car with a receiver that tricks the car into thinking it is the key

The person near the key uses a device to detect the key’s signal. This is relayed to the person holding the receiver which is then detected by the car as the key itself. It will open and start the car.

How can you stop a relay attack?

For relay car theft to work, your key must be able to be accessed via a wireless transmission. This means that if you put it in a place where it can’t receive a wireless transmission, like a microwave, a metal tin, your fridge or a Faraday sleeve or wallet, it won’t work for the would-be thieves. You can buy Faraday sleeves for your mobile phone to stop them receiving calls and for RFID credit cards to stop them being accessed. They’re usually less than $10.

Therefore, you won’t want to be leaving your key in the hallway overnight as the transmitter signals will pass through walls, doors and windows.

You can also provide physical barriers to thieves such as a wheel lock, locked gates or putting your car in a garage. Tracking devices will help recover your car but they won’t stop it from being stolen. A secondary immobiliser which requires a PIN to start adds another layer.

To recap, here’s how you reduce the risk of becoming a victim of a relay attack:

• Put your keys where they can’t transmit or receive
• Make sure your car is locked
• Add physical countermeasures
• Add a tracking device
• Keep your keys out of sight
• Make sure you have insurance

What vehicles are at risk?

Any vehicles with a push-button start are at risk. This includes almost all new cars and many new vans. Push-button start has been readily available on even mid-range cars for more than 5 years. Carmakers are working on systems to thwart the thieves but its likely that existing models will remain vulnerable. The measures that are being worked through are part of broader measures to ensure data security.

Darren is an expert on driving and transport, and is a member of the Institute of Advanced Motorists

Keyless Car Crime: How To Thwart The Thieves

Editorial Note: Forbes Advisor may earn a commission on sales made from partner links on this page, but that doesn’t affect our editors’ opinions or evaluations. We offer information about investing and saving, but we do not offer any personal advice or recommendations. If you aren’t sure whether investing is right for you, or which investments are right for you, please consult an authorised financial adviser.

Over the past five years the number of stolen vehicles has almost doubled, according to Home Office figures, and it seems that keyless car technology could be significantly to blame.

New research from insurer LV= shows that, in each of the last four years (2016-19), insurance claims for car theft have jumped by 20%, with keyless car theft accounting for a large proportion of the claims.

An increasing number of cars are now fitted with keyless entry which allows you to unlock and start your car without having to faff about with a bunch of keys. But while many might assume that a modern car with the latest tech features would be better protected against theft, keyless cars can in fact be more vulnerable to ‘tech-savvy’ criminals.

How does keyless technology work?

Keyless entry works by using a keyless fob that uses short-range radio waves. The fob transmits a signal which is picked up by a receiver in your car. If the signal is recognised, the car doors unlock (in some cases you may have to press a button). A similar process is then used to start the car.

Although this type of keyless technology is hugely convenient, at the same time it can make your vehicle more vulnerable to theft. Through what’s known as a ‘relay attack’, criminals use widely available signal relay devices to ‘trick’ the car into thinking the correct device is present (when it may actually be metres away inside your house) by amplifying its signal.

Footage from front-door household security cameras has emerged showing thieves using devices to capture the signals from fobs perhaps left on a table in the hallway or in a jacket pocket. As soon as the thieves get access, the car can be driven off in seconds.

Rising claims

The figures from LV= show that luxury car makes such as Audi, BMW, Jaguar, Land Rover, Lexus, Mercedes, Porsche and Tesla are increasingly affected by keyless theft, accounting for almost half (48%) of all ‘theft of’ vehicle claims.

In addition, the number of claims involving theft of parts or of possessions from vehicles has also risen sharply (140%) over the past four years, with the most common target being catalytic converters. Thieves love these because of their precious metal content.

Metropolitan areas the worst

The LV= data also indicates that vehicle crime has risen the most across the UK’s main metropolitan areas. Vehicle theft claims have jumped by 265% in London in the past four years, and over 100% in London, Birmingham, Nottingham and Greater Manchester.

What is the car industry doing to help?

Consumer group Which? has been calling for more stringent security on keyless entry cars and recently contacted the manufacturers of 33 car brands to find out what they were doing. It reported that only two brands had implemented security fixes across their entire range and 14 brands had not done anything at all.

Meanwhile, vehicle safety and security experts Thatcham Research awarded ‘poor’ ratings to the following car models with keyless systems after security engineers were able to access and start the vehicle using relay attack equipment:

• Mazda CX-30
• MG HS Excite T-GDI
• Subaru Forester e-Boxer XE Premium
• Vauxhall Corsa Ultimate Turbo 100

On a positive note, some car manufacturers are now fitting new fobs with a motion sensor that deactivates the signal when the key is not in use. However, Richard Billyeald, chief technology officer at Thatcham, warns that while this is a “good, short-term fix, [it] is not the ultimate solution to the keyless vulnerability which should be designed out of new vehicles completely in the future”.

He advises anyone buying a new car to “go into the dealership with their eyes open to keyless security and if they do intend to specify the system, ask if a fix has been introduced”.

In other words, don’t be fobbed off.

How can I protect my car?

To help keep your car secure and reduce the chance of being a victim of keyless entry theft, take a look at the tips below:

• Be careful where you put your key fob: keep it as far away from the vehicle as you can, as well as away from the windows and doors in your home. It can be a good idea to invest in a protective Faraday bag to prevent the fob from sending out digital signals, or alternatively store the fob in a metal container such as a biscuit tin.
• Lock your vehicle: even if you’re only going to be away from your car for a couple of minutes – to pay for parking, for example – always lock your car. Make sure it’s double locked and all security features are enabled by pressing your key fob twice.
• Invest in security measures: this could be as simple as fitting a steering wheel lock or a wheel clamp or, if you have a hybrid vehicle, fitting a specific catalytic converter lock which makes it harder for thieves to remove the part. It’s also worth investing in a tracker system, such as a Thatcham approved device, if you don’t already have one.
• Watch out for hackers: many vehicles require log-in details or use smartphone apps to make the most of new features, such as connected maps or news reports which are beamed onto the infotainment screen. Always use strong passwords for any online account and never give anyone access to your car app or portal account.

Heather Smith, managing director at LV= GI, says: “Consumers need to keep on top of new innovations and take extra precautions to ensure they stay one step ahead of criminals who may try and take advantage of them, and their cars.

“The police can only do so much, so it’s vital that drivers do everything they can to protect their vehicle, especially those driving a luxury or prestige car that is likely to attract attention.

“Most car theft happens near people’s homes, but with a better understanding of the technology and a few simple security measures, you can make your car a lot less appealing to thieves.”

Compare Car Insurance Quotes

Choose from a range of policy options for affordable cover, that suits you and your car.