'Mystery Device' Unlocks and Starts Over 50 Percent of Tested Vehicles

Steph Willems
by Steph Willems

Over the past two years, we’ve brought you in-depth coverage of a crop of shadowy gadgets designed to give thieves access to parked vehicles.

Like most tools of the trade, the gadgets are very similar, using the same principle to achieve the same result — unlocking a parked vehicle by sending signals to the car’s own keyless-entry system. For vehicles with a push-button ignition, the same gadgets can sometimes start the vehicle, giving that thief an instant lifestyle upgrade.

Now, a “mystery device” purchased by the National Insurance Crime Bureau (NICB) has revealed just how vulnerable an average vehicle is to these high-tech slim jims.

The device obtained by NICB was purchased by a third-party security expert from an overseas company. It uses the same technology and principle as the mystery gadgets seen in the hands of thieves in recent security camera footage and eyewitness reports. (TTAC has detailed how the technology works here and here.)

Apparently, the buy wasn’t a sketchy, late-night parking garage trade. The “overseas company” reproduced the device for automakers and anti-theft companies to test vehicle vulnerability, so there’s no legal grey area on the NICB’s end. Called a “relay attack” unit, the device only works on vehicles with keyless entry and push-button ignition.

For real-world unscientific testing, NICB partnered with auto retailer CarMax, rather than have one of their guys roam around side streets and parking lots in search of test subjects. The bureau wanted to know four things: whether the device could unlock a car, start the vehicle, drive it away, and turn off and restart the vehicle without the manufacturer’s keyless fob. The results were surprising.

According to NICB, “Tests were also done at a new car dealership, an independent used car dealer, at an auto auction and on NICB employee vehicles and ones owned by private individuals.”

When tested on 35 different makes and models, the device unlocked 54 percent of the vehicles. It also allowed the “thief” to drive away in 51 percent of them. Once the vehicles that drove away were turned off, the device was able to restart the engine in 34 percent of them. (NICB notes that four new Chevrolets successfully repelled the device.)

“We’ve now seen for ourselves that these devices work,” NICB president and CEO Joe Wehrle said in a statement. “Maybe they don’t work on all makes and models, but certainly on enough that car thieves can target and steal them with relative ease. And the scary part is that there’s no warning or explanation for the owner. Unless someone catches the crime on a security camera, there’s no way for the owner or the police to really know what happened. Many times, they think the vehicle has been towed.”

It’s hard to protect against a relay attack, as the device simply amplifies and relays the signal from the vehicle’s proximity key. The vehicle is fooled into unlocking itself. It’s now up to automakers to design countermeasures against the technology, which can be built from aftermarket or used electronics.

Right now, the only advice from NICB is to keep valuables out of sight and always take your fob into the house. Bring the garage door opener, too.

Steph Willems
Steph Willems

More by Steph Willems

Join the conversation
4 of 67 comments
  • Vulpine Vulpine on Dec 08, 2016

    I'm reading a number of misperceptions above, though there may already be some correcting comments in response. I live in range of a number of Philadelphia radio stations and will note that the issue is bigger than you might imagine. Interestingly, the more common victims of this method of attack are in high-value communities... areas where the average home is in the million-dollar range--for obvious reasons. In essence, the relay only needs to get close enough to the key fob to amplify its signal to the receiver in the car. Assuming, for the moment, that it's a two-way communication (the car constantly seeks the fob until it's close enough to respond), the user of this device may only need to get ten or twenty feet closer to the fob to trigger the fob's response and then carry that 'echo' back to the car, which has already unlocked itself. Then, as long as the fob is still relaying the echo, the car will start in the driveway. Here's where things may differ, depending on brand and model. In some cases, when the car gets a certain distance away from the fob, it will shut itself down, the relay device supposedly not carrying the received code while others may keep running until it loses a signal entirely, which the relay device probably has a means to at least keep a carrier signal if not the code itself. This is definitely an issue but one that may have numerous resolutions of which one person's suggestion of a signal-blocking box in the home would be a simple and obvious, though somewhat annoying fix. Most people won't bother to take their keys out of their pocket or purse to drop them in a box overnight or, if they do, may well forget to grab them the next day and end up locking themselves out of both car and home in the process. An alternate fix might be to install a motion-sensitive switch on the key fob that prevents any sending if the fob is motionless beyond a certain set time. When the key is in a purse overnight or at the office, then the fob won't even bother to send its signal (saving battery) and make it less likely for the relay to sense a signal to unlock the vehicle. A pocket would be valid overnight when the owner is asleep though less so as long as the owner is moving around the home (once dressed.) A manual on/off switch would serve a similar purpose. Remember, any automated system would be susceptible to this or similar reverse-engineered hacking device. One way or another there needs to be a manual override that can lock down or at the least notify the owner if the vehicle is moving without permission. A third-party transponder operating at a different frequency (individually selectable) or a switch/display requiring an alphanumeric password on entering the car might help to minimize the theft of the vehicle itself but if you want to prevent or limit access entirely then we might need to revert to a physical key. I can think of several different ways to make access more difficult for the thief but they all involve making said access more difficult for the owner, too.

    • See 1 previous
    • Vulpine Vulpine on Dec 09, 2016

      @Scoutdude Kind of the point though, don't you think? Now consider the article that came out earlier this week about the BMW that became a prison for the man who stole it. There ARE ways to minimize the problem but you have to keep in mind that anything man can create, man can figure out how to mis-use... and will. Now, honestly there's a huge convenience factor in having these systems. The problem with convenience is that it tends to make people complacent. But worse, it makes things even easier for those who prey on others who become complacent. 100 years ago, nobody even considered locking their doors when they were leaving the house to go shopping. Sure, there were sneak-thieves and cat-burglars, but they were relatively uncommon and people had the mindset that, "Oh, it won't happen to me," until it did. Of course, conversely as time progressed and such things as car thefts became more common, people started locking their doors to reduce that risk, creating a separate problem that now inconvenienced them on the occasion where they locked their keys inside the car (did that myself once a long time ago, now insure I have a second set of keys available, one way or another.) With these devices now, it's like you never locked your car in the first place. No. What is needed now is a way for the owner to personalize the key fob outside of the default lock/unlock code; a way for the vehicle to know when it has gone beyond a permissible distance from the owner and disable itself. Even limiting power or speed to, say 15mph, would be enough to force the joyrider to abandon the vehicle and even a more determined thief would have second thoughts about driving it any significant distance. It wouldn't necessarily prevent the break-ins, but taking personal gear out of the car or at least having it hidden will reduce the risk. While the interior of a car may be considered "personal space," that doesn't mean you can live out of your car as though it were home. Then again, as I recall some horse-thievery laws are still on the books. Maybe cars need to be designated the same as horses and simply hang the car thief, hmmm?

  • Mulry Mulry on Dec 10, 2016

    Could this device be defeated by placing one's keys inside a small Faraday cage inside one's house? No signal = no signal to amplify and exploit.

  • NotMyCircusNotMyMonkeys dudes off the rails on drugs and full of hate and retribution. so is musky.
  • Big Al from Oz Musk and Trump are of the same ilk, except Musk's IQ is a damn site higher than Trumps. Musk like Trump is only into himself. Musk doesn't care about Trump only Musk. Musk sees more dollars if Trump wins.Hey, I'm Big Al again!3
  • Rover Sig We have a car with two fake exhausts in the bumper, but a large shiny muffler visible hanging down on one side, not aligned with the fake exhaust exits. Horrendous. I had to paint the shiny muffler with high-temp black paint to make it less visible. Exhaust pipes were meant to be round and hang below the bumper, and they can be made quiet or loud as the engineers like. But fake exhausts rank down there with fake intake vents on the side of that old Buick.
  • EBFlex Of course it does. What a silly question
  • Buickman Elon is a phony.