What Is a Relay Attack?

To understand relay attacks, you first need to understand what your keyless entry system is actually doing.

Traditional car keys required physical insertion and turning. The key's shape matched the lock cylinder, and an embedded chip communicated with the immobilizer. Security depended on physical possession of a specific object.

Keyless entry removed the physical step. Your key fob constantly broadcasts a low-frequency radio signal (typically 125 kHz for the wake-up signal, then 315 MHz or 433 MHz for communication). When you approach your car with the fob in your pocket, the car detects this signal, confirms the cryptographic code is valid, and unlocks the doors. Press the start button, and the same exchange authorizes the engine to start.

The security assumption is straightforward: the signal is weak, so it only works when the key is within a few feet of the car. If the signal is detected, the key must be nearby, and the authorized owner must be present.

This assumption is the vulnerability. The signal travels a few feet under normal circumstances—but radio signals can be captured and retransmitted.

A relay attack typically involves two people, though single-person variants exist using pre-positioned devices. Here's the sequence:

The entire sequence takes 30–60 seconds. There's no broken glass, no alarm, no visible damage. Security cameras typically show what appears to be someone casually getting into their own car.

A common misconception: "My key uses rolling codes, so it can't be cloned." This is true—but irrelevant to relay attacks.

Modern key fobs use encrypted, rolling codes that change with each use. Capturing and replaying an old code doesn't work because the car expects the next code in the sequence. This effectively prevents cloning-based attacks.

Relay attacks don't clone anything. They relay the signal in real-time. When the car asks "Is this the right key?", that question travels through the relay to your actual key. Your key responds with the correct, current cryptographic answer. That answer travels back through the relay to the car. From the car's perspective, a completely valid authentication just occurred.

The encryption protects against copying. It doesn't protect against extending the signal's range.

Any vehicle with passive keyless entry (PKE) is potentially vulnerable to relay attacks. This includes most vehicles manufactured after 2010 that feature:

• Push-button start
• Keyless door handles (touch to unlock)
• Proximity-based locking/unlocking

Some vehicles are targeted more frequently than others—not because they're more vulnerable technically, but because they're more valuable to thieves:

• Luxury SUVs: Range Rover, BMW X5/X6/X7, Mercedes GLE/GLS, Audi Q7/Q8
• High-performance vehicles: Dodge Challenger/Charger Hellcat, Ford Mustang GT, Chevrolet Camaro
• Popular trucks: Ford F-150, Ram 1500, Toyota Tundra
• Luxury sedans: BMW 3/5/7 Series, Mercedes C/E/S Class, Audi A4/A6

The Exception: Ultra-Wideband (UWB)

A small but growing number of vehicles use Ultra-Wideband technology for keyless entry. UWB measures the precise distance between the key and the car using time-of-flight calculations, making relay attacks significantly harder—the system can detect that the signal is being routed through a relay because of timing discrepancies.

Vehicles with UWB include certain BMW models (2022+), some Genesis vehicles, and select Mercedes models. However, UWB adoption remains limited, and security researchers have already demonstrated successful attacks against some implementations. UWB raises the bar but isn't a complete solution.

Relay attack equipment ranges from crude to sophisticated:

• Basic relay kits: Available online for $100–$500. These work against many vehicles but may have range limitations or require specific positioning.
• Professional-grade equipment: $1,000–$5,000+. Greater range, more reliable signal capture, works across more vehicle makes and models.
• Custom/SDR-based setups: Technically sophisticated thieves use Software Defined Radio equipment, which can be tuned for specific frequencies and protocols.

The barrier to entry is low. The equipment is legal to purchase (it's also used for legitimate security testing), and tutorials are widely available. This accessibility is one reason relay attacks have become the dominant method for stealing keyless vehicles.

Relay attacks follow predictable patterns:

Timing

Most residential relay thefts occur between 2 AM and 5 AM. This timing makes sense: residents are asleep, neighborhood activity is minimal, and the thieves can work without witnesses. The attack is quick enough that even a brief window of opportunity is sufficient.

Location

Driveways are the primary target. The car is close to the house (where the key is), accessible from the street, and typically unwatched overnight. Garage-parked vehicles are generally safe—the garage door and additional distance create obstacles.

Relay attacks can also occur in other settings—hotel parking lots, airport parking, or anywhere a thief can get close enough to your key while an accomplice accesses your car—but residential driveway theft is most common.

Target Selection

Thieves often cruise neighborhoods looking for high-value vehicles parked in driveways. Some operations are more targeted, following specific vehicles home from dealerships, car meets, or known high-value locations.

Several common "solutions" are ineffective against relay attacks:

Effective prevention either blocks the relay from working or adds authentication that can't be relayed:

Block the Signal: Faraday Storage

Faraday pouches and boxes block your key's radio signal from escaping. If the signal can't be captured, it can't be relayed. This is effective when used consistently—the key goes in the Faraday container immediately upon entering the house and stays there.

The limitation is behavioral: it requires perfect compliance. One night you forget, and that's the night thieves come through. Some users disable the key fob entirely (if the vehicle allows), which eliminates the signal without relying on a pouch.

Add Authentication: Digital Immobilizers

Aftermarket digital immobilizers add a secondary authentication layer—typically a PIN entered using factory buttons (steering wheel controls, pedals, etc.). Even if a thief successfully relays the key signal and gets the engine to "authorize" a start, the immobilizer blocks ignition until the PIN is entered.

The thief has no way to relay the PIN—it exists only in the owner's memory and is entered on physical buttons inside the car. This directly addresses the relay attack mechanism: even with perfect signal relay, the car won't start.

Physical Prevention: Garage Parking

Parking in a closed garage eliminates most relay risk. The additional distance and physical barriers (garage door, walls) make signal capture difficult, and the vehicle isn't accessible for entry even if the signal were captured.

Distance and Placement

If garage parking isn't available, storing keys as far as possible from the front of the house—and from exterior walls—makes signal capture harder. A key stored in a back room creates more distance for the relay device to overcome.

Your risk level depends on several factors:

• Vehicle desirability: High-value, frequently-targeted models face more risk than economy cars.
• Parking situation: Driveway parking increases exposure compared to garage parking.
• Local theft patterns: Some areas have active relay theft rings; others have minimal activity.
• Key storage location: Keys kept near the front door or exterior walls are easier to capture.

If you drive a frequently-targeted vehicle, park in a driveway, and live in an area with reported relay thefts, you're in a higher-risk category. That doesn't mean theft is inevitable—it means prevention measures provide meaningful protection.