'Mystery Device' Unlocks and Starts Over 50 Percent of Tested Vehicles

Steph Willems
by Steph Willems

Over the past two years, we’ve brought you in-depth coverage of a crop of shadowy gadgets designed to give thieves access to parked vehicles.

Like most tools of the trade, the gadgets are very similar, using the same principle to achieve the same result — unlocking a parked vehicle by sending signals to the car’s own keyless-entry system. For vehicles with a push-button ignition, the same gadgets can sometimes start the vehicle, giving that thief an instant lifestyle upgrade.

Now, a “mystery device” purchased by the National Insurance Crime Bureau (NICB) has revealed just how vulnerable an average vehicle is to these high-tech slim jims.

The device obtained by NICB was purchased by a third-party security expert from an overseas company. It uses the same technology and principle as the mystery gadgets seen in the hands of thieves in recent security camera footage and eyewitness reports. (TTAC has detailed how the technology works here and here.)

Apparently, the buy wasn’t a sketchy, late-night parking garage trade. The “overseas company” reproduced the device for automakers and anti-theft companies to test vehicle vulnerability, so there’s no legal grey area on the NICB’s end. Called a “relay attack” unit, the device only works on vehicles with keyless entry and push-button ignition.

For real-world unscientific testing, NICB partnered with auto retailer CarMax, rather than have one of their guys roam around side streets and parking lots in search of test subjects. The bureau wanted to know four things: whether the device could unlock a car, start the vehicle, drive it away, and turn off and restart the vehicle without the manufacturer’s keyless fob. The results were surprising.

According to NICB, “Tests were also done at a new car dealership, an independent used car dealer, at an auto auction and on NICB employee vehicles and ones owned by private individuals.”

When tested on 35 different makes and models, the device unlocked 54 percent of the vehicles. It also allowed the “thief” to drive away in 51 percent of them. Once the vehicles that drove away were turned off, the device was able to restart the engine in 34 percent of them. (NICB notes that four new Chevrolets successfully repelled the device.)

“We’ve now seen for ourselves that these devices work,” NICB president and CEO Joe Wehrle said in a statement. “Maybe they don’t work on all makes and models, but certainly on enough that car thieves can target and steal them with relative ease. And the scary part is that there’s no warning or explanation for the owner. Unless someone catches the crime on a security camera, there’s no way for the owner or the police to really know what happened. Many times, they think the vehicle has been towed.”

It’s hard to protect against a relay attack, as the device simply amplifies and relays the signal from the vehicle’s proximity key. The vehicle is fooled into unlocking itself. It’s now up to automakers to design countermeasures against the technology, which can be built from aftermarket or used electronics.

Right now, the only advice from NICB is to keep valuables out of sight and always take your fob into the house. Bring the garage door opener, too.

Steph Willems
Steph Willems

More by Steph Willems

Comments
Join the conversation
4 of 67 comments
  • Vulpine Vulpine on Dec 08, 2016

    I'm reading a number of misperceptions above, though there may already be some correcting comments in response. I live in range of a number of Philadelphia radio stations and will note that the issue is bigger than you might imagine. Interestingly, the more common victims of this method of attack are in high-value communities... areas where the average home is in the million-dollar range--for obvious reasons. In essence, the relay only needs to get close enough to the key fob to amplify its signal to the receiver in the car. Assuming, for the moment, that it's a two-way communication (the car constantly seeks the fob until it's close enough to respond), the user of this device may only need to get ten or twenty feet closer to the fob to trigger the fob's response and then carry that 'echo' back to the car, which has already unlocked itself. Then, as long as the fob is still relaying the echo, the car will start in the driveway. Here's where things may differ, depending on brand and model. In some cases, when the car gets a certain distance away from the fob, it will shut itself down, the relay device supposedly not carrying the received code while others may keep running until it loses a signal entirely, which the relay device probably has a means to at least keep a carrier signal if not the code itself. This is definitely an issue but one that may have numerous resolutions of which one person's suggestion of a signal-blocking box in the home would be a simple and obvious, though somewhat annoying fix. Most people won't bother to take their keys out of their pocket or purse to drop them in a box overnight or, if they do, may well forget to grab them the next day and end up locking themselves out of both car and home in the process. An alternate fix might be to install a motion-sensitive switch on the key fob that prevents any sending if the fob is motionless beyond a certain set time. When the key is in a purse overnight or at the office, then the fob won't even bother to send its signal (saving battery) and make it less likely for the relay to sense a signal to unlock the vehicle. A pocket would be valid overnight when the owner is asleep though less so as long as the owner is moving around the home (once dressed.) A manual on/off switch would serve a similar purpose. Remember, any automated system would be susceptible to this or similar reverse-engineered hacking device. One way or another there needs to be a manual override that can lock down or at the least notify the owner if the vehicle is moving without permission. A third-party transponder operating at a different frequency (individually selectable) or a switch/display requiring an alphanumeric password on entering the car might help to minimize the theft of the vehicle itself but if you want to prevent or limit access entirely then we might need to revert to a physical key. I can think of several different ways to make access more difficult for the thief but they all involve making said access more difficult for the owner, too.

    • See 1 previous
    • Vulpine Vulpine on Dec 09, 2016

      @Scoutdude Kind of the point though, don't you think? Now consider the article that came out earlier this week about the BMW that became a prison for the man who stole it. There ARE ways to minimize the problem but you have to keep in mind that anything man can create, man can figure out how to mis-use... and will. Now, honestly there's a huge convenience factor in having these systems. The problem with convenience is that it tends to make people complacent. But worse, it makes things even easier for those who prey on others who become complacent. 100 years ago, nobody even considered locking their doors when they were leaving the house to go shopping. Sure, there were sneak-thieves and cat-burglars, but they were relatively uncommon and people had the mindset that, "Oh, it won't happen to me," until it did. Of course, conversely as time progressed and such things as car thefts became more common, people started locking their doors to reduce that risk, creating a separate problem that now inconvenienced them on the occasion where they locked their keys inside the car (did that myself once a long time ago, now insure I have a second set of keys available, one way or another.) With these devices now, it's like you never locked your car in the first place. No. What is needed now is a way for the owner to personalize the key fob outside of the default lock/unlock code; a way for the vehicle to know when it has gone beyond a permissible distance from the owner and disable itself. Even limiting power or speed to, say 15mph, would be enough to force the joyrider to abandon the vehicle and even a more determined thief would have second thoughts about driving it any significant distance. It wouldn't necessarily prevent the break-ins, but taking personal gear out of the car or at least having it hidden will reduce the risk. While the interior of a car may be considered "personal space," that doesn't mean you can live out of your car as though it were home. Then again, as I recall some horse-thievery laws are still on the books. Maybe cars need to be designated the same as horses and simply hang the car thief, hmmm?

  • Mulry Mulry on Dec 10, 2016

    Could this device be defeated by placing one's keys inside a small Faraday cage inside one's house? No signal = no signal to amplify and exploit.

  • The Oracle Well, we’re 3-4 years in with the Telluride and right around the time the long term durability issues start to really take hold. This is sad.
  • CoastieLenn No idea why, but nothing about a 4Runner excites me post-2004. To me, they're peak "try-hard", even above the Wrangler and Gladiator.
  • AZFelix A well earned anniversary.Can they also attend to the Mach-E?
  • Jalop1991 The intermediate shaft and right front driveshaft may not be fully engaged due to suspected improper assembly by the supplier. Over time, partial engagement can cause damage to the intermediate shaft splines. Damaged shaft splines may result in unintended vehicle movement while in Park if the parking brake is not engagedGee, my Chrysler van automatically engages the parking brake when we put it in Park. Do you mean to tell me that the idjits at Kia, and the idjit buyers, couldn't figure out wanting this in THEIR MOST EXPENSIVE VEHICLE????
  • Dukeisduke I've been waiting to see if they were going to do something special for the 60th Anniversary. I was four years old when the Mustang was introduced. I can remember that one of our neighbors bought a '65 coupe (they were all titled as '65 models, even the '64-1/2 cars), and it's the first one I can remember seeing. In the '90s I knew an older gentleman that owned a '64-1/2 model coupe with the 260 V8.
Next