On September 24, 2017, two men pulled up alongside a home in Elmdon in the county of West Midlands, England. One of the men walked up to the house while the other approached a Mercedes parked outside. The former waved a box in front of the victim's house. Seconds later, the latter opened the driver's door of the victim's car, got in, and drove away behind his partner.
More than two months later, the West Midlands Police has yet to recover the car. Its officers are currently analyzing CCTV footage of the crime for possible clues that could help them identify the culprits. That recording is displayed below:
So, how did the thieves make off with the car without needing the owner's keys?
In all likelihood, they conducted a relay attack. It's a type of hack that works against vehicles' keyless entry systems.
When someone approaches a car equipped with a keyless entry system, that component attempts to talk with the key via electromagnetic signals. Such communication allows the vehicle to authenticate the key and unlock the door without requiring the individual to press any buttons. It's all about convenience; someone can unlock the door without needing to fumble with the key as long as they have it in their possession.
To prevent instances of abuse, these systems do have some restrictions. A vehicle can seek out the key only within a limited range. If it does not successfully communicate with the key in that radius, the keyless entry system quits looking and keeps the vehicle's door locked.
However, an attacker's ingenuity can effectively circumvent those safeguards.
Indeed, a malicious actor can leverage a keyless entry system to silently break into a vehicle using a relay box. This device can amplify the distance that the car can search to tens if not hundreds of meters away. Attackers can therefore use it in a manner that mimics the West Midlands theft: deploy the relax box outside of a residential home where they key is most likely kept at night and thereby gain entry to as well as turn on the vehicle.
Relay attacks and the keyless entry system flaws they exploit aren't new. Nick Bilton wrote back in 2015 about how an unidentified girl broke into his Prius using "a small black device from her backpack." In the process of searching for answers to explain what had happened, he eventually came across Boris Danev, founder of 3db Technologies and an expert on security flaws in keyless entry systems.
Danev told Bilton how relay boxes work. As quoted by The New York Times
It's a bit like a loudspeaker, so when you say hello over it, people who are 100 meters away can hear the word, 'hello.' You can buy these devices anywhere for under $100.
The press coverage of relay attacks has continued since then. In 2016, security researchers at the Munich-based automobile club ADAC published
their findings of an "amplification attack" they performed on 24 vehicles from 19 different manufacturers. The test consisted of a pair of radio devices they built using some chips, batteries, a radio transmitter, and an antenna that cost just $225. One of the radios impersonated the car's key and communicated with the car's wireless entry system, whereas the other device sought a response from the key within a 300-foot radius.
emerged in 2017 from researchers at the Beijing-based security firm Qihoo 360. Their setup allowed an actor to potentially unlock a car using a relay attack at up to a thousand feet away. It also cost a mere $22 to build.
While investigators look into what happened in Elmdon, Mark Silvester from the West Midlands Police crime reduction team has some words for how vehicle owners can protect themselves. As quoted by Sky News
To protect against this type of theft, owners can use an additional tested and Thatcham-approved steering lock to cover the entire steering wheel. We also recommend Thatcham-approved tracking solutions fitted to the vehicle. It is always worth speaking to your main dealer, to ensure that your car has had all the latest software updates and talk through security concerns with them.
They can further protect themselves against relay attacks by placing their key in an RFID signal-blocking bag that blocks out electromagnetic signals.