By on December 8, 2016

car theft

Over the past two years, we’ve brought you in-depth coverage of a crop of shadowy gadgets designed to give thieves access to parked vehicles.

Like most tools of the trade, the gadgets are very similar, using the same principle to achieve the same result — unlocking a parked vehicle by sending signals to the car’s own keyless-entry system. For vehicles with a push-button ignition, the same gadgets can sometimes start the vehicle, giving that thief an instant lifestyle upgrade.

Now, a “mystery device” purchased by the National Insurance Crime Bureau (NICB) has revealed just how vulnerable an average vehicle is to these high-tech slim jims.

The device obtained by NICB was purchased by a third-party security expert from an overseas company. It uses the same technology and principle as the mystery gadgets seen in the hands of thieves in recent security camera footage and eyewitness reports. (TTAC has detailed how the technology works here and here.)

Apparently, the buy wasn’t a sketchy, late-night parking garage trade. The “overseas company” reproduced the device for automakers and anti-theft companies to test vehicle vulnerability, so there’s no legal grey area on the NICB’s end. Called a “relay attack” unit, the device only works on vehicles with keyless entry and push-button ignition.

For real-world unscientific testing, NICB partnered with auto retailer CarMax, rather than have one of their guys roam around side streets and parking lots in search of test subjects. The bureau wanted to know four things: whether the device could unlock a car, start the vehicle, drive it away, and turn off and restart the vehicle without the manufacturer’s keyless fob. The results were surprising.

According to NICB, “Tests were also done at a new car dealership, an independent used car dealer, at an auto auction and on NICB employee vehicles and ones owned by private individuals.”

When tested on 35 different makes and models, the device unlocked 54 percent of the vehicles. It also allowed the “thief” to drive away in 51 percent of them. Once the vehicles that drove away were turned off, the device was able to restart the engine in 34 percent of them. (NICB notes that four new Chevrolets successfully repelled the device.)

“We’ve now seen for ourselves that these devices work,” NICB president and CEO Joe Wehrle said in a statement. “Maybe they don’t work on all makes and models, but certainly on enough that car thieves can target and steal them with relative ease. And the scary part is that there’s no warning or explanation for the owner. Unless someone catches the crime on a security camera, there’s no way for the owner or the police to really know what happened. Many times, they think the vehicle has been towed.”

It’s hard to protect against a relay attack, as the device simply amplifies and relays the signal from the vehicle’s proximity key. The vehicle is fooled into unlocking itself. It’s now up to automakers to design countermeasures against the technology, which can be built from aftermarket or used electronics.

Right now, the only advice from NICB is to keep valuables out of sight and always take your fob into the house. Bring the garage door opener, too.

[Image capture: NICB/YouTube]

Get the latest TTAC e-Newsletter!


67 Comments on “‘Mystery Device’ Unlocks and Starts Over 50 Percent of Tested Vehicles...”

  • avatar

    Just another reason to loath the push button start.

  • avatar

    Just install fuel pump switch somewhere and be done with it

  • avatar

    I love old fashioned metal keys, I just never knew exactly why.

    • 0 avatar

      Old-fashioned metal keys are just as easy to hack.

      • 0 avatar
        White Shadow

        I remember my dad’s old S10 Blazer was stolen by popping the door lock, cracking the steering column and pulling a metal rod to start the engine. I’m guessing that the thief drove away in a matter of seconds.

        • 0 avatar

          I had someone try that on my 88 Chevy truck. Only problem was they were short and it was stick shift. Starter wouldn’t engage unless the clutch was in, and I don’t think they were tall enough – or didn’t know anything about manual transmissions.

      • 0 avatar

        No old fashioned keys are not just as easy to hack. With this they just have to turn on the device. With old fashioned keys it takes some skill, depending on the exact car to use a slim jim to open the door. If you know a particular car well that can be done in a matter of seconds, if you don’t it can take several minutes. Defeating a ignition lock cylinder again is not as simple as having the device turned on. Throw in a transponder and it gets even harder to defeat the system. This just needs to be turned on and able to capture a signal from a near by key.

  • avatar

    So, this only works if the proximity key itself is nearby?

    So if I leave my car in the driveway for some reason instead of putting it in the garage overnight (like I did when we were having a garage sale and the garage was full of stuff), but the proximity key is in the house on the nightstand next to me, can something like this still make my Mazda zoom-zoom away without me?

    Thank goodness I have a garage. My 6 and my wife’s CX-5 stay in the garage each night and our ’95 S10 sits outside. No one would want to steal it anyway, but if they did, it would be super easy.

    • 0 avatar
      George B

      It appears that this “mystery device” requires an organized effort to get one half of the relay close to your key fob and the other half close to your car. The thief would have to be willing to trespass on your property to get close enough to make it work. A shielded enclosure for your key fob would defeat this at home.

      I would guess that this device would require a team effort between a thief and his hot girlfriend. The car side of the link is easy. The tough part is getting the key side of the link inside the personal space of the victim. Social rules about personal space make it tough for a male thief to get close, but an attentive waitress could easily get close to the key fob without raising suspicion.

    • 0 avatar

      Yes this just picks up the signal from the key and relays it to the device at the car. So yeah parking it in the garage significantly limits your risk at home. But at the local store, restaurant or depending on where you work it would still be vulnerable there.

  • avatar

    Sounds like the hackers have developed a pretty capable device, this has to be excellent advertising. Anybody know how much it costs?

    • 0 avatar
      Kyree S. Williams

      Right? Why should you buy a Range Rover Supercharged Autobiography at $120K, when for the cost of this device, you could have one at a steep discount…well, until you smuggle it off to Eastern Europe via shipping container.

    • 0 avatar

      $19.95, but call in the next 10 minutes, and you’ll get a second Mystery Device, absolutely free (just pay separate P&H).

  • avatar
    Big Al From 'Murica

    Well as I have been applying for in vehicle cyber defense positions this looks good for my future employment at least.

  • avatar

    I think I want one of those things that (Mel Gibson) Mad Max had installed on his car that would blow up the car if it was started properly. Simpler.

  • avatar
    White Shadow

    I’d love to know which cars are able to be unlocked, started, driven, restarted, etc…

    Does a list exist?

    • 0 avatar

      According to the video, the researchers weren’t able to break into some models that the device’s developer claims are vulnerable. So YMMV, apparently. And the bad guys will keep building better boxes.

  • avatar

    Auto theft is an industry in and of itself. Manufacturers come up with a new anti theft measure and at some point its defeated and vehicles are stolen for joy rides, parts or exported.

    The VIN is stamped on a myriad of locations on any vehicle, they are still stolen, and VIN’s changed.

    Remember when prior to accident reports stickers with the VIN of the vehicle were prominently displayed on obvious body panels (no tag the panel was replaced) until “someone” started making stickers with the correct VIN.

    When a “window of opportunity” opens up the auto theft industry will take advantage of the window until it closes.

    For every measure there is a counter measure.

    Its the reason folks have their vehicles insured.

  • avatar

    For those who don’t want to watch the video, here’s how it works:
    1. You park your car, step out of it, and hit your fob to lock the car.
    2. Bad guy standing a few feet away from you uses a device to intercept and record your fob’s signal.
    3. A second device is placed next your door, the first device transmits your code to this device which relays it to your car and unlocks the doors, also enabling, in some cases, the ignition.

    I don’t really understand Steph’s last paragraph. “Don’t leave your keys in the car” is great advice, but doesn’t really apply here. You defend against this by:
    1. Don’t use your fob if someone is standing within 10 feet of you, or else
    2. Lock your doors manually.
    3. Don’t give your fob to anyone you don’t trust…goodbye valet parking.

    I expect more sensitive devices will be developed, so the 10-foot rule may not apply for too long. Hopefully automakers will start using encryption on their signals, it shouldn’t be that hard.

    • 0 avatar
      George B

      I think your sequence is wrong. The device mostly just extends the range of your key fob so that the car thinks you’re at the car instead of somewhere else.

    • 0 avatar

      I’ve got a 2011 Venza V6/FWD w/Smartkey and I rarely use the fob to lock the car when exiting. My hand must be on the door pull to open it and I just slip my hand down to the lock button as I exit. About the only time I use the fob is to open the hatch when approaching the car with packages. Hopefully these devices can’t pick up a signal if the fob isn’t used to lock the car. Fortunately I live in a rural area and don’t need to lock my vehicles but I suppose if someone wants your vehicle they will figure a way to get it.

    • 0 avatar

      @Russcycle – thanks. Until the “relay attack” was mentioned in the 2nd-last paragraph, I was completely baffled and thought they had come up with something NEW to DISCOVER codes by various trickery. I’m totally not worried about relay attacks – our cars aren’t worth the effort.

      @Steph Willems – it would have helped if you had put the “relay attack” part MUCH higher up. Like, in the first few paragraphs: Relay attacks are not new, and have been theoretically possible for a while, but a new “mystery” device purchased by NCIB seems to have integrated/collected relay attack methods into a simple box and made them easy to carry out. And maybe a 1-2 sentence summary: “A relay attack is where a nearby thief records the signal from your keyfob and sends it to your car, or induces your nearby keyfob to send a signal to the car as if it was valid” or something. Yes, you linked to other articles, if only those other articles have the main details I need (that you need someone standing closeby to record/trigger your car/keyfob), then this article isn’t finished.

    • 0 avatar
      White Shadow

      “1. You park your car, step out of it, and hit your fob to lock the car.”

      Okay, so if that’s the case, here’s the easy fix: Don’t lock your car with the key fob. Simply press the lock button on the door before closing it.

      I’m accepting donations in return for my infinite wisdom….

    • 0 avatar

      The real advice is “don’t try and roll your own crypto”.

      There are all sorts of solutions for this that can be built on existing technology stacks designed by security professionals and audited by even more professionals. Automakers shouldn’t be trying to reinvent the, umm, wheel.

      Bluetooth, for example, is pretty much immune to this sort of thing because the keys change periodically and the whole communication is encrypted with those keys. Why not use Bluetooth?

    • 0 avatar

      Is that it? We’ve known of this kind of attack, though a properly designed system would use rolling codes and therefore the “intercepted” code would only be good for one use.

      The article text seems to imply that this new devices acts as a range extender, relaying the signal from the car to the key fob and vice versa, so that even if your key is not near the car that they are still able to relay the signal and make it appear that it is, allowing them to unlock and start it.

  • avatar

    #1 Anti-theft device?

    Manual transmission.

  • avatar

    And while this device can probably be bought for $14.95 from China, new keys for your car still cost astronomical amounts of money!

  • avatar

    This must only work on 50% of vehicles with keyless entry and push button ignition. It’s weird to say 50% of vehicles, it seems like the relay either works or doesn’t – which seems dependent on manufacturer and range.

    Like this has a 0% chance of working on a car with a conventional keyed ignition. This has a 100% chance of working next to some weak car with the owner standing a few feet away.

  • avatar

    One of the few beefs i have with my EB Mustang , would be the “push button” start

    . I’m hoping that the bad guys that get their hands on one of these devices, are the guys that steal cars for profit. This sort of crook chops it up, and or ships it to Nigeria. I doubt that an EB Mustang is on their “shopping list”

    It is my hope that the “Joyrider thief” is either too stupid to operate the technology , or the cost of such a device is cost prohibitive.

  • avatar

    Don’t forget that it’s trivially easy to defeat the type of locks used in cars with old-school key door and ignition locks.

    My 1989 Taurus SHO came with no trunk key. A locksmith made one for me in a few minutes.

  • avatar

    Imagine a world where a good portion of ones livelihood and personal capital can simply vanish or be destroyed in the blink of an eye.

    This is an extraordinary risk for the average person…and its elimination is the most tangible benefit of the large autonomous transportation network which many believe is inevitable. Yes, insurance can help mitigate the consequences but it will also continually drag down your bank account.

    Because in some sense, the personal automobile is really just an enhancement for our tiny, slow and frail human legs and arms. It is a necessary tool in the modern developed world and there is no reason that one should risk so much just as a cost of entry.

    The peacocking status of a nice car will be transferred to some other exorbitantly expensive and outwardly visible tool/symbol.

  • avatar
    Jeff Zekas

    My son’s BMW used $200 chipped keys. Worthless. Only Hyundai still uses old fashioned metal keys: cheap, simple, easily replaced. Cos thieves can defeat any system. So why use expensive deterrents?

  • avatar

    So yeah, relay attacks:

    Oversimplifying wildly, the proximity fob and the car use rolling codes to identify each other, so listening to (and replaying) one transaction shouldn’t get you in. The primary security here is the fob having a short-range signal, so if the signal isn’t strong enough, the car assumes the fob isn’t close by.

    There’s ways to thwart relay attacks. When “unlock your Mac with your Apple Watch” was introduced this year, they specifically mentioned the countermeasure, which is a challenge-response sequence where the computer cares about how quickly the watch responds.

    Since you can’t cheat the speed of light, if you can measure this time very accurately, you can figure out how far away the device is. Expect relay resistance to be a standard part of car security soon; shame it wasn’t considered before…

    • 0 avatar

      It has been considered before; most other wireless communications protocols do some sort of auth, key-exchange and sequence tracking. Bluetooth and 802.11i have been immune for at least a decade.

      OEMs, as is pretty typical, decided to do it their own way.

  • avatar

    The more interesting line was “always take your fob into the house”. I assumed that this was common sense, but it clearly isn’t. After browsing some Ford-related forums recently it has become clear that many owners simply leave the key fob in the car and use the number pad on the door frame to unlock/lock the car. I couldn’t believe that people would be so cavalier about security, but apparently they are.

  • avatar

    The last time I dealt with a keyfob-based security system on an Audi, it wasn’t as simple as this video makes it to be. At least on those cars the keyfob generated and transmitted a different code with each key press, and only the receiver algorithm knew which code was valid next (and the sequence was based on some randomization algorithm also). So, it wouldn’t be as easy as simply re-transmitting the same code the relay circuit read.

    Regardless, I want to believe that no true valet keys are electronic, reason enough to always carry your valet key with you at all times. Handing the electronic key over to a valet is not a good idea. In theory, with the proper equipment they could add an extra keyfob to your car’s security system and then they’d have a good key forever with no need to follow you or relay the signal, etc.

    • 0 avatar

      VW product and VW electronics – when the electronics in the keyfob and the receiver get out of synch, at an unconvenient time as Murphy would suggest, how will you get home?

      Give me a simple setup that doesn’t cost a lot to replace if I lose the key.

      • 0 avatar

        Well, I’d be the first to criticize VAG, but this particular system was VDO electronics iirc.

        I want a simple setup too, but simple is easy to steal. Didn’t they have mechanical keys and then started adding some wires and a cobra alarm way back when?

        Getting home or not will involve leaving the other key with someone else, or calling home and asking them to bring it to you. Or towing it to the dealer. Nothing simple there, but very safe. One of my VAG cars is with another owner now but the two keyfobs and valet key are still functioning perfectly over 15 years later.

    • 0 avatar

      The system doesn’t work with the kind of keyfob you’re talking about, and it doesn’t re-transmit a code later. It’s a live re-transmission of the signal the keyfob is currently putting out. It only works on the proximity based keyfobs, not the “push a button to unlock” based keyfobs.

      Things happen in real time. One person is near you with the receiver, while the other person is next to the car with the transmitter.

  • avatar

    I’m reading a number of misperceptions above, though there may already be some correcting comments in response.

    I live in range of a number of Philadelphia radio stations and will note that the issue is bigger than you might imagine. Interestingly, the more common victims of this method of attack are in high-value communities… areas where the average home is in the million-dollar range–for obvious reasons. In essence, the relay only needs to get close enough to the key fob to amplify its signal to the receiver in the car. Assuming, for the moment, that it’s a two-way communication (the car constantly seeks the fob until it’s close enough to respond), the user of this device may only need to get ten or twenty feet closer to the fob to trigger the fob’s response and then carry that ‘echo’ back to the car, which has already unlocked itself. Then, as long as the fob is still relaying the echo, the car will start in the driveway.

    Here’s where things may differ, depending on brand and model. In some cases, when the car gets a certain distance away from the fob, it will shut itself down, the relay device supposedly not carrying the received code while others may keep running until it loses a signal entirely, which the relay device probably has a means to at least keep a carrier signal if not the code itself.

    This is definitely an issue but one that may have numerous resolutions of which one person’s suggestion of a signal-blocking box in the home would be a simple and obvious, though somewhat annoying fix. Most people won’t bother to take their keys out of their pocket or purse to drop them in a box overnight or, if they do, may well forget to grab them the next day and end up locking themselves out of both car and home in the process. An alternate fix might be to install a motion-sensitive switch on the key fob that prevents any sending if the fob is motionless beyond a certain set time. When the key is in a purse overnight or at the office, then the fob won’t even bother to send its signal (saving battery) and make it less likely for the relay to sense a signal to unlock the vehicle. A pocket would be valid overnight when the owner is asleep though less so as long as the owner is moving around the home (once dressed.) A manual on/off switch would serve a similar purpose.

    Remember, any automated system would be susceptible to this or similar reverse-engineered hacking device. One way or another there needs to be a manual override that can lock down or at the least notify the owner if the vehicle is moving without permission. A third-party transponder operating at a different frequency (individually selectable) or a switch/display requiring an alphanumeric password on entering the car might help to minimize the theft of the vehicle itself but if you want to prevent or limit access entirely then we might need to revert to a physical key. I can think of several different ways to make access more difficult for the thief but they all involve making said access more difficult for the owner, too.

    • 0 avatar

      Maybe there are some out there that will shut down when you get to far away from the fob but I doubt it as that would be considered a safety hazard. I have a friend with a Prius who went somewhere with her husband, she got out with the fob in her possession while he continued on to his destination several miles away. Then when he went to go pick her up and go home and he couldn’t start the car.

      With a lot of the houses they are building today it wouldn’t be too hard to get close enough to relay the signal.

      • 0 avatar

        Kind of the point though, don’t you think? Now consider the article that came out earlier this week about the BMW that became a prison for the man who stole it. There ARE ways to minimize the problem but you have to keep in mind that anything man can create, man can figure out how to mis-use… and will.

        Now, honestly there’s a huge convenience factor in having these systems. The problem with convenience is that it tends to make people complacent. But worse, it makes things even easier for those who prey on others who become complacent. 100 years ago, nobody even considered locking their doors when they were leaving the house to go shopping. Sure, there were sneak-thieves and cat-burglars, but they were relatively uncommon and people had the mindset that, “Oh, it won’t happen to me,” until it did. Of course, conversely as time progressed and such things as car thefts became more common, people started locking their doors to reduce that risk, creating a separate problem that now inconvenienced them on the occasion where they locked their keys inside the car (did that myself once a long time ago, now insure I have a second set of keys available, one way or another.) With these devices now, it’s like you never locked your car in the first place.

        No. What is needed now is a way for the owner to personalize the key fob outside of the default lock/unlock code; a way for the vehicle to know when it has gone beyond a permissible distance from the owner and disable itself. Even limiting power or speed to, say 15mph, would be enough to force the joyrider to abandon the vehicle and even a more determined thief would have second thoughts about driving it any significant distance. It wouldn’t necessarily prevent the break-ins, but taking personal gear out of the car or at least having it hidden will reduce the risk. While the interior of a car may be considered “personal space,” that doesn’t mean you can live out of your car as though it were home.

        Then again, as I recall some horse-thievery laws are still on the books. Maybe cars need to be designated the same as horses and simply hang the car thief, hmmm?

  • avatar

    Could this device be defeated by placing one’s keys inside a small Faraday cage inside one’s house? No signal = no signal to amplify and exploit.

Read all comments

Back to TopLeave a Reply

You must be logged in to post a comment.

Recent Comments

  • CKNSLS Sierra SLT: highdesertcat- Your area appears to be unique-
  • thelaine: Exactly. Newer designs are not more reliable than this workhorse. A model that has been around for years...
  • thelaine: Word.
  • z9: I’ve had access to Autopilot in a couple of different cars for about three years. There are two basic...
  • thelaine: I hated fascist CAFE until I learned that it had helped create the pickup truck nirvana we are currently...

New Car Research

Get a Free Dealer Quote


  • Contributors

  • Timothy Cain, Canada
  • Matthew Guy, Canada
  • Ronnie Schreiber, United States
  • Bozi Tatarevic, United States
  • Chris Tonn, United States
  • Corey Lewis, United States
  • Mark Baruth, United States