Car Radio VersionsAny
Versions for other radiosRelay Attack Explanation (Any)
Relay Attack Explanation
USA, Rest of World, Europe
“Gone in 46 seconds: How Push-to-Start vehicle technology makes your automobile an easy target for thieves, and what you can do to protect it.”
It’s been 19 years since Gone in Sixty Seconds premiered to audiences across the country. The movie stars Nicolas Cage as Randall “Memphis” Raines, a former Master Car Thief who is forced to steal 50 cars in 72 hours in order to save his kidnapped brother from a local gangster. However, there is one really big problem; one of the vehicles on the list is a Mercedes Benz S600, a vehicle deemed ‘unstealable’ without the factory Mercedes laser cut key.
How do they get past the impenetrable Mercedes security system? Well, you’ll need to watch the movie to find out. But, as a car guy who is obsessed with automotive technology, it does leave one burning question in my mind; if anti-theft technology was so advanced in the year 2000, it must be even better now, right?
The answer, unfortunately, is NO. Yes, vehicles have become more advanced, some even virtually drive themselves. Convenience technologies like passive keyless entry and push-to-start now allow you to open and start your vehicle without even taking your key fob out of your pocket. Unfortunately, it also allows your vehicle, even a Mercedes Benz, to be stolen in seconds. Don’t believe me? Well, keep reading!
In 2017 the West Midlands Police department in the United Kingdom obtained surveillance footage of a gang of high-tech thieves that were able to get into a brand new Mercedes Benz and drive it off using a ‘mystery device’. The thieves were able to gain entry into the vehicle in under 18 seconds and drive it off in 46 seconds. A video copy of the theft may be viewed here.[i]
This ‘mystery device’ used in the Mercedes Benz theft, now known as a “relay attack box”, uses a technology called Signal Amplification Relay Attack (SARA). SARA works by exploiting weaknesses in the factory passive keyless entry and push-to-start system. Now, I know what you are thinking, “as long as I have my key fob they can’t take my car”. However, you are wrong.
In order to explain how a relay attack is accomplished, you must first understand how your factory passive keyless and push-to-start system (PKE/PTS) works. Your factory PKE/PTS relies on radio frequency communication between the vehicle and the key fob. The key fob is designed to always ‘listen’ for a command from the vehicle which is generated when the door handle is pulled or a sensor on the back of the door handle recognizes movement. However, the key fob must be very close to the vehicle to receive this command. Once the key fob is within a few feet of the vehicle it is able to receive the command from the car and transmit a command back to the vehicle. The result is that the door unlocks.
This bi-directional communication between the key fob and the vehicle is repeated in order to start the car, but this time the key must be inside the vehicle. If the key is within range of the even smaller inside zone, it is able to respond back to the car and the vehicle is able to start. For safety reasons, once the vehicle has been started it will continue to run, even if the key is removed from the car.
“So, as long as I have my key fob away from my vehicle and locked safely inside my house, nobody can steal my car, right”? Wrong again. A signal amplification relay attack tricks the vehicle and the key fob into thinking that they are in close proximity to one another. The attack involves two people, each with a receiver and transmitter. The attack is originated from the person by the vehicle that pulls the door handle, activating a response from the vehicle looking for the key fob. The vehicle’s radio frequency signal is read by the receiver, amplified and “relayed” up to the accomplice located by a door or window where it is broadcast into the home. The thief by the house is broadcasting the vehicle’s signal into the house, looking for a response from the key fob. If the key fob can receive the vehicle’s signal, it responds back. The key fob’s response is then relayed back down to the vehicle and, voila, the door opens. This process is repeated again once the thief is inside the vehicle, the car starts, and may be driven away.
Unfortunately, relay attack vehicle theft is real and has become an epidemic throughout the world. Thieves can procure a relay attack box on the internet for as little as $300 or, if they know what they are doing, can build a device for under $50. In England, relay attacks account for an approximated 85% of all vehicle theft and vehicle break-ins. However, this problem is not just isolated to England. Relay attacks have been reported in the USA by the National Insurance Crime Bureau as far back as 2016.[ii] Another disturbing fact is that these attacks aren’t just isolated to major metropolitan areas. Last Month in Gilroy, California, a small suburb of San Jose, SARA was used to break into a half dozen vehicles in one unsuspecting neighborhood[iii] overnight.
I bet that you are beginning to wonder what you can do to protect yourself against relay attack theft. Well, there are several low-tech solutions that may provide some protection. For example, wrapping your key fob in aluminum foil, keeping your keys in your refrigerator, or putting your key fob in a fully enclosed metal box. Laugh if you want, but these have been suggested by various law enforcement agencies and yes, they do provide some protection. However, is anybody really going to do it every day? No, I don’t think so either.
Another low-tech solution is to place your key fob into an RF shielded “Faraday” bag. These RF shielded bags are available online for as low as $10 and a Faraday bag will protect you from a relay attack. However, it also defeats the convenience of actually using your passive keyless entry and push-to-start system. In order to gain entry into your vehicle you will need to remove the key fob from the Faraday bag every time. Can you image your wife actually digging through her purse to do this and remembering to put it back? Don’t worry, you aren’t alone, I can’t either.
The race to find a solution to combat relay attack theft without comprising the convenience of the PKE/PTS has now reached the vehicle manufacturers themselves. In April of this year, Ford Motor Company became the first vehicle manufacturer to admit that their vehicles were susceptible to relay attack theft. In response, Ford is now offering a key fob that goes to sleep after 40 seconds without movement. The new key fobs are available on the current Ford Focus and Fiesta models in Europe and a retrofit kit is available for older models at the cost of around $100 per key fob plus an hour of labor at the dealership.[iv] This brings the estimated cost to @ $340 per vehicle and it only covers two models. What about the millions of other susceptible PKE/PTS vehicles already on the road? According to Coral Springs, Florida based electronics manufacturer NAV-TV, they have the answer in the form of a universal product called Secure-a-Key.
According to Moni Melman, NAV-TV CEO, “The Secure-a-Key is a patent-pending universal product that installs into the consumer’s existing key fob. It requires no additional parts, professional installation or dealership intervention. The Secure-a-Key works by detecting movement. Once the key stops moving for a short period of time, the Secure-a-Key disconnects the internal battery, effectively eliminating the key fob’s ability to receive or transmit a signal to the car and, thus, solving the problem of relay attack theft. As soon as the Secure-a-Key detects the slightest movement, the battery is reconnected and all functions of the passive keyless entry and push-to-start system become fully functional.”
NAV-TV did warn us that every vehicle does come with at least two key fobs and every key fob must be protected with the Secure-a-Key in order to prevent against relay attack theft. The Secure-a-Key is available for key fobs that utilize either a CR2032 or CR2450 battery and are available in both single and double unit packaging. Several Secure-a-Key installation videos are provided by the company on their youtube channel and the product may be purchased at https://navtv.com/products/category/32/Secure-a-Key.html or through thousands of NAV-TV dealers globally, including amazon.com. US price for two units is $130.00 and single units are available for additional, or replacement remote key fobs, for $80.00.
[i] https://www.youtube.com/watch?v=Lup0cAX2IN0 November 27, 2017 West Midlands Police, U.K.
[ii] : https://www.youtube.com/watch?v=EE5Ygm0aFMk Dec 7, 2016 NICB, USA
[iii] https://www.youtube.com/watch?time_continue=5&v=-Tlgfk9xMRE May 28, 2019 NICB, USA
[iv] : https://www.msn.com/en-us/autos/news/ford-launches-new-keyless-fob-to-combat-relay-attacks/ar-BBVNwFC?li=AA8sb7 May 10, 2019 reported by MSN.com
Download as PDF
Relay Attack Explanation Compatibility Chart
|Any/Any||2000-2023||USA, Rest of World, Europe||Any|