Relay Attacks: How Thieves Clone Your Key Fob

by
Dispatch #013 · Threat Briefing · Classification: Open

Relay Attacks: How Thieves Clone Your Key Fob

Your car key fob is broadcasting right now — from inside your house, your pocket, your bag. Thieves with $100 in equipment can capture that signal, relay it to your car, and drive away in under 60 seconds. No broken windows. No hotwiring. No alarm. Here’s how the attack works and the one countermeasure that stops it cold.

Dispatch filed by TINFOIL Intelligence Division · Permanent record

How Keyless Entry Works

Modern keyless entry systems work through a continuous radio conversation between your key fob and your car. The car periodically broadcasts a low-power challenge signal. When the fob is within range — typically 1–2 meters — it responds with an encrypted authentication code. The car verifies the code and unlocks the doors. The same exchange authorizes the engine to start when you press the ignition button.

This system is designed for convenience. You don’t have to press a button or insert a key. You walk up to your car, the fob and car authenticate automatically, and the door opens. The system assumes that proximity equals authorization: if the fob is near the car, the person holding it is authorized to enter.

That assumption is the vulnerability.

How the Attack Works

A relay attack exploits the proximity assumption by extending the range of the conversation between fob and car. It requires two people and two devices.

Step 1: Attacker A stands near your car with a relay device — essentially a radio transceiver that captures the car’s challenge signal and transmits it at higher power.

Step 2: Attacker B stands near your key fob — outside your front door, next to your bag at a restaurant, near your pocket in a crowd — with a second relay device that receives the amplified challenge signal and rebroadcasts it at close range.

Step 3: Your fob receives what it thinks is the car’s normal challenge signal and responds with the encrypted authentication code.

Step 4: The authentication response is relayed back to Attacker A’s device, which rebroadcasts it near the car.

Step 5: The car receives a valid authentication response and unlocks. Attacker A opens the door, presses the ignition button (the relay maintains the session), and drives away.

Total time: Under 60 seconds. Often under 30.

The attack works because the car and fob don’t verify distance — they only verify that the correct cryptographic exchange occurred. The relay devices extend the effective range of the fob from 2 meters to 100+ meters. Your fob thinks the car is right next to it. Your car thinks the fob is right next to it. Neither knows a relay is in the middle.

The equipment costs less than $100 and is available commercially. Tutorials are available online. The attack requires no technical expertise beyond following instructions. It works on virtually every vehicle with keyless entry manufactured in the last decade.

How Common Is This?

Data Point · Source
Prevalence
Relay attacks have been documented across Europe, North America, and Asia. UK police forces have identified relay theft as one of the fastest-growing vehicle crime categories. Multiple European insurance associations have issued specific guidance about the threat.
Affected vehicles
Virtually all vehicles with passive keyless entry systems. This includes most premium and mid-range vehicles manufactured since approximately 2015. Specific brands are not the issue — the vulnerability is in the keyless entry protocol, not the manufacturer’s implementation.
Detection difficulty
Relay attacks leave no physical evidence. No broken glass, no forced entry, no alarm trigger. Security cameras show someone walking up to the car and driving away normally. Many victims initially believe they forgot to lock the car, not that it was electronically compromised.
Insurance response
European insurance associations — particularly in the UK, Germany, and the Netherlands — now specifically recommend Faraday pouches for key fob storage. Some insurers have factored relay attack risk into premium calculations for vehicles with keyless entry.

Countermeasures

There are several approaches to preventing relay attacks. Most are inconvenient. One is simple.

Countermeasure · Effectiveness · Practicality
Disable keyless entry
Effective but impractical. Some vehicles allow you to disable passive keyless entry in the settings, reverting to button-press lock/unlock. This eliminates the vulnerability but also eliminates the convenience the feature provides. Most people won’t do this.
Steering wheel lock
Effective as a deterrent. A physical lock doesn’t prevent the relay attack but makes the car harder to steal once entered. Thieves may move to an easier target. However, this doesn’t protect against relay-enabled theft of items inside the vehicle.
Signal-blocking fob case
Most effective and most practical. A Faraday pouch blocks the fob’s radio signal entirely. If the fob can’t receive the car’s challenge, it can’t respond. No response, no authentication, no entry. The relay attack is completely neutralized because there is no signal to relay. The physics are absolute — a properly sealed conductive enclosure blocks all RF communication.
Fob battery removal
Effective but absurd. Removing the fob battery stops all transmission. Also requires you to reinstall the battery every time you want to use your car. Not a serious countermeasure.
UWB-enabled fobs
Manufacturer-side fix, slowly rolling out. Some newer vehicles use Ultra-Wideband technology that verifies precise distance between fob and car, making relay attacks much harder. However, this only protects new vehicles with UWB-enabled systems — not the millions of vehicles already on the road with standard keyless entry.

The Faraday Solution

A Faraday pouch for your key fob is the simplest, most effective, and most cost-efficient countermeasure against relay attacks. The physics are the same as every other Faraday cage application — a conductive enclosure blocks RF signals. Fob goes in the pouch. Pouch blocks the signal. No signal to relay. Attack neutralized.

The key fob application is actually simpler than phone-sized Faraday bags because key fobs operate at lower frequencies (125 kHz for passive RFID, 315 or 433 MHz for the active transmitter) with longer wavelengths that are easier to block. The closure tolerances are less demanding. The engineering is more forgiving.

This is not a theoretical countermeasure. European law enforcement agencies specifically recommend it. Insurance companies endorse it. The cost of a quality Faraday pouch is trivial compared to the cost of a stolen vehicle — or even the deductible on a theft claim.

Your key fob is broadcasting your car’s unlock code from inside your house, 24 hours a day. A $20 Faraday pouch stops it. This is the single most cost-effective vehicle security measure available — and one of the clearest examples of Faraday physics solving a real, measurable problem.

The Broader Point

Relay attacks are useful to understand not because they’re the biggest threat you face, but because they illustrate exactly how ambient RF signals create vulnerabilities. Your key fob wasn’t designed to be a security risk. It was designed for convenience. But any device that continuously broadcasts a signal creates an attack surface — a surface that can be exploited by anyone who understands the signal.

Your phone does the same thing, at higher power, across more frequency bands, broadcasting more data, to more receivers. Dispatch #002 mapped the full scope. Dispatch #004 covered the engineering of phone-sized Faraday bags. Dispatch #009 explained what your phone’s SAR rating actually measures.

Relay attacks on key fobs are the version of this problem that’s easiest to understand and cheapest to solve. They’re also the version that most clearly demonstrates that Faraday shielding isn’t theoretical, paranoid, or speculative. It’s a documented countermeasure to a documented threat, recommended by insurance companies and law enforcement across Europe.

Start with the key fob. Think about what else is broadcasting.

Stop the Signal

Faraday shielding isn’t theory — it’s the countermeasure that law enforcement recommends for a real and growing threat. TINFOIL signal management products are engineered for exactly this.

Browse Collections Dispatch #004: Faraday Guide Dispatch #010: Faraday Physics