How Modern Cars Are Stolen

Until the early 2000s, stealing a car required physical manipulation. Thieves needed to break into the vehicle (triggering alarms), defeat the steering lock (leaving visible damage), and bypass the ignition (requiring time and skill). Each step created risk: noise, visible evidence, and time exposed in a parking lot or driveway.

Keyless entry changed the equation. The convenience feature that lets you unlock your door without removing your key from your pocket also created a new attack surface. Now, the car continuously listens for a specific radio signal. If it hears that signal, it unlocks. If it hears it again with you in the driver's seat, it starts.

The security assumption was simple: the signal only travels a few feet, so the key must be nearby. That assumption is no longer valid.

Professional vehicle thieves exploit these wireless vulnerabilities because they're efficient. A relay attack takes under 60 seconds. CAN bus injection takes 2-3 minutes. There's no broken glass, no triggered alarm, no evidence of forced entry. In most cases, security cameras show what looks like an owner getting into their own car.

Relay attacks are the most prevalent method for stealing keyless vehicles. The technique requires two devices and two people, though single-person variants exist. Here's how it works:

The Attack Sequence

1. Positioning: One thief stands near your front door or wherever your keys are stored inside your home. They carry a relay amplifier—a device that captures and boosts radio signals.
2. Amplification: The device picks up the weak signal from your key fob inside the house and amplifies it, extending its range from a few feet to potentially hundreds of feet.
3. Transmission: The amplified signal is transmitted to a second device held by an accomplice standing next to your car in the driveway.
4. Deception: The second device broadcasts the amplified signal. The car's receiver picks it up and believes the key is present.
5. Access: The car unlocks. The thief gets in, presses the start button, and the engine starts—because as far as the car knows, the key is right there.
6. Escape: The thief drives away. Once the engine is running, most vehicles won't shut off even when the key signal is lost.

Why It Works

Your key fob is always transmitting a low-power signal on either 315 MHz (North America) or 433 MHz (Europe and elsewhere). This signal uses rolling codes—encrypted sequences that change with each use—which is why cloning old garage door openers doesn't work. But relay attacks don't clone the signal. They relay it in real-time.

Some newer vehicles—primarily certain BMW, Genesis, and Mercedes models from 2022 onward—use Ultra-Wideband (UWB) technology that measures the precise distance to the key, making relay attacks significantly harder. However, UWB-equipped vehicles remain a small fraction of cars on the road, and security researchers have already demonstrated vulnerabilities in some implementations.

The car asks: "Is my key nearby?" The relay device forwards this question to your actual key inside your home. Your key responds: "Yes, I'm here." The relay device forwards this answer back to the car. From the car's perspective, this conversation happened normally.

Timing and Execution

A professional relay theft takes 30-60 seconds from approach to departure. The devices are widely available online for $100-$500, though professional-grade equipment costs more. Some thieves use modified Bluetooth or SDR (Software Defined Radio) equipment.

Most relay attacks happen between 2 AM and 5 AM when residents are asleep and neighborhood activity is minimal. The thieves appear unhurried—they're not breaking in, so there's no reason to rush or look suspicious.

CAN bus injection represents a more technical but increasingly common attack vector. Unlike relay attacks, which trick the car's wireless receiver, CAN bus injection bypasses the key entirely by speaking directly to the vehicle's internal network.

Understanding the CAN Bus

The Controller Area Network (CAN) is the internal communication system that connects every electronic component in your vehicle. Your engine control unit, body control module, airbag system, door locks, and entertainment system all communicate over this network. When you press the start button, a message travels over the CAN bus telling the engine to start.

The CAN bus was designed in the 1980s for reliability and speed, not security. Messages aren't encrypted or authenticated. Any device connected to the network can send commands, and other modules will execute them without verification. This design made sense for closed systems—the assumption was that only authorized components would ever connect.

The Attack Sequence

1. Access Point: The thief needs to physically connect to the CAN bus. The easiest points are external—headlight wiring harnesses, bumper sensors, or side mirror connections. Some vehicles expose CAN wires behind easily-removed plastic trim.
2. Device Connection: A small device (often disguised as a diagnostic tool or hidden in a modified JBL speaker case) is connected to the exposed wires.
3. Command Injection: The device sends commands on the CAN bus: "Unlock doors." "Disable immobilizer." "Start engine." The car's modules execute these commands because they appear to come from within the trusted network.
4. Vehicle Control: With the immobilizer disabled and engine running, the thief drives away.

The Headlight Method

The most notorious CAN bus attack targets vehicles with smart LED headlights. These headlights connect to the CAN bus for adaptive lighting features. Thieves remove the headlight (often a 30-second process with practiced technique), expose the wiring harness, and connect their injection device.

This method became widely documented when BMW X-series vehicles, Toyota Land Cruisers, and Lexus LX models experienced a theft surge in 2022-2023. But it's not limited to these brands—any vehicle with CAN-connected external components is theoretically vulnerable.

Why Factory Security Doesn't Help

Factory immobilizers work by requiring a cryptographic handshake between the key and the engine control unit. But this check happens at the key/receiver level. CAN bus injection attacks happen after that layer—they send the "immobilizer passed" message directly on the internal network.

Factory alarms don't trigger because no doors are forced open. The attack bypasses the security layer entirely rather than defeating it.

The On-Board Diagnostics (OBD-II) port is a standardized connector, required by law since 1996, that provides access to vehicle systems for diagnostics and emissions testing. It's typically located under the dashboard near the steering column. For thieves, it's a direct line into the vehicle's electronic brain.

What the OBD Port Enables

Legitimate uses of the OBD port include reading diagnostic trouble codes, checking emissions data, and performing authorized key programming. Unfortunately, the same access enables theft:

• Key Programming: With the right tools, a new key can be programmed to the vehicle in under 30 seconds. The new key becomes fully functional—the car accepts it as legitimate.
• Immobilizer Reset: Some vehicles allow the immobilizer to be reset or disabled through OBD commands, particularly older models or those with known vulnerabilities.
• Module Reprogramming: Security modules can sometimes be reflashed with modified software that removes anti-theft protections.

The Access Problem

OBD exploitation requires the thief to already be inside the vehicle. This typically happens in two scenarios:

• Combined with other methods: The thief uses a relay attack or slim jim to access the interior first, then uses OBD tools to enable ongoing access.
• Left unlocked: Vehicles left unlocked or with windows down provide direct access.

Once inside, the OBD attack is fast. Professional-grade key programming devices can add a new key to most vehicles in 10-30 seconds. The thief then has a working key that starts the vehicle normally.

Tool Availability

OBD programming tools range from $50 consumer-grade devices to $15,000+ professional systems. Theft-specific tools are traded in underground markets, though many legitimate locksmith tools serve the same function. Some tools are sold openly on e-commerce platforms.

Key programming and key cloning are often confused, but they're distinct techniques with different requirements and outcomes. Both result in the thief having a working key, but the methods differ significantly.

Key Programming

Key programming adds a new key to the vehicle's list of authorized keys. The new key doesn't copy the original—it creates a new valid identity that the car accepts. This requires:

• Physical access to the vehicle (usually via OBD port)
• A blank key fob compatible with the vehicle
• Programming software or device
• Time: typically 10-60 seconds depending on the vehicle and tool

Legitimate locksmiths use these tools daily for customers who've lost their keys. The same tools enable theft. Some manufacturers have added PIN codes or require two existing keys to program new ones, but workarounds exist for many vehicles.

Key Cloning

Key cloning creates a copy of an existing key by capturing and duplicating its signal. This doesn't require access to the vehicle—only proximity to the victim's key fob. Techniques include:

• Signal capture: Specialized devices record the key's radio transmission when the owner uses it. Some systems can capture the rolling code sequence and predict future codes.
• Proximity cloning: Devices capture key data by being near the key fob, even when it's not in use. This can happen in a pocket, purse, or on a table.
• Relay + record: Some attackers combine relay techniques with recording, capturing the key's responses during a relay attack for later replay.

Cloning is generally more difficult than programming because it requires cryptographic attacks on the key's encoding. However, older and lower-cost vehicles often use weaker cryptography that's been broken by researchers and subsequently by criminals.

Signal jamming is a lower-tech approach that doesn't steal the vehicle directly but enables theft by preventing you from locking it. The technique exploits a common human behavior: pressing the lock button and walking away without confirming the car actually locked.

How Jamming Works

The thief uses a radio transmitter that broadcasts interference on the same frequency your key fob uses (315 MHz or 433 MHz). When you press your lock button, the signal never reaches your car. The car stays unlocked.

Most owners don't notice. They press the button, hear or see a confirmation they expect (or assume it happened), and walk away. The thief waits for them to leave, then simply opens the unlocked door.

Where Jamming Is Used

Jamming is most common in parking lots—shopping centers, airports, and entertainment venues. These locations offer:

• High vehicle density (more targets)
• Owners who leave the area after parking (time to act)
• Anonymous environment (harder to identify thieves)
• Valuable items often left in vehicles

Jamming vs. Theft

Signal jamming is often used for theft of belongings rather than vehicle theft. The unlocked car provides access to laptops, bags, and valuables without needing to defeat any security. However, if combined with OBD access, the unlocked vehicle can be programmed with a new key and stolen entirely.

Simple Prevention

Always confirm your vehicle locked by watching for the light flash, listening for the horn/chirp, or testing the door handle before walking away. This single habit defeats jamming attacks entirely.

Not all vehicle theft is high-tech. Physical methods remain relevant, particularly for high-value targets where electronic methods have failed or aren't available.

Tow-and-Go Theft

The most direct approach: load the vehicle onto a flatbed tow truck and drive away. This method requires no electronic exploitation at all. Professional crews can load a vehicle in 2-3 minutes.

Tow theft is common for high-value targets like exotic cars, luxury SUVs, and vehicles destined for export. Electronic security systems are irrelevant—the car never needs to start. At a chop shop or container yard, the electronic protections can be defeated at leisure.

Carjacking

Carjacking bypasses all electronic and physical security by taking the vehicle while the owner is present and has the key. This violent crime exists outside the scope of vehicle security systems—it's a personal safety issue requiring different countermeasures (awareness, avoiding high-risk situations, compliance training).

Traditional Break-In

Window smashing and door forcing still occur, particularly for:

• Older vehicles without keyless entry
• Theft of contents rather than the vehicle
• Opportunistic theft by less sophisticated criminals
• Gain access for OBD programming

Factory alarms provide protection here—that's what they were designed for. But for targeted theft of modern keyless vehicles, more sophisticated electronic methods are preferred because they're faster, quieter, and leave no evidence.