How Your Key Fob Can Be Hacked From Across the Street

Criminals no longer need to touch your car or even stand near it to break in. Many modern key fobs transmit low power signals continuously so the vehicle can detect the fob when the owner approaches. These signals travel only a short distance under normal conditions, yet they can be intercepted and amplified with simple radio equipment. When a relay device captures the fob’s signal from inside a home and forwards it to an accomplice near the vehicle, the car interprets the transmission as proof that the key is present. The doors unlock, the ignition activates and the theft takes place without any physical contact.

This type of attack succeeds because the authentication process depends on the strength and timing of the signal rather than a full two way verification step. The fob responds automatically whenever it receives a query from the vehicle. Criminals exploit this behaviour by extending the range of the query and relaying the response. The car receives a valid signal even though the key is still in the owner’s house, pocket or bag.

The combination of passive entry systems, constant low power broadcasting and predictable communication patterns makes these attacks possible from distances far greater than most drivers expect. The result is a form of theft that appears sudden and silent, yet relies on the same wireless functions that make modern keyless systems convenient.

How Criminals Steal Signals From Your Key Fob

Relay theft works by extending the communication between your key fob and your car far beyond the distance the system was designed for. A passive entry fob sends out low power signals at short intervals. These signals are meant to reach only a few metres so the car can detect the fob when the driver approaches. Criminals exploit this behaviour by using radio equipment that captures the signal near the fob and forwards it to a second device positioned beside the car.

The first device acts as a listener. It searches for the brief transmissions your fob sends while sitting on a table, inside a bag or in a pocket. Once it detects a valid signal, it amplifies it and sends it to the second device. The second device rebroadcasts that signal as if the fob were physically next to the vehicle. The car then responds with a challenge message, which travels back through the same chain. The fob replies automatically because it has no awareness of distance, only of receiving a valid query.

This exchange convinces the car that the key is close enough to unlock the doors and activate the start button. The attacker does not need to decode the signal or break encryption. They simply extend the communication path so the fob completes the process on its own. The entire sequence can occur in seconds, and because the fob behaves exactly as it would during normal use, there is no obvious sign that the signal has been relayed.

Why Modern Cars Are Vulnerable to Relay Attacks

Modern keyless entry systems are built around convenience features that unintentionally create openings for relay attacks. Passive entry relies on a fob that broadcasts short range signals at regular intervals. These signals are designed to travel only a few metres so the car can detect the fob automatically when the driver approaches. The system is intended to remove the need for button presses, yet this constant low power broadcasting allows criminals to capture and relay the transmissions from a distance.

The chipsets inside many key fobs respond automatically to queries from the car. When the vehicle sends out a request, the fob replies without checking how far the signal has travelled. The communication follows a predictable pattern, and the protocol assumes that distance itself acts as a barrier. Criminals bypass that assumption by using equipment that amplifies both the vehicle’s query and the fob’s response. The car receives a genuine reply, so it unlocks and enables the ignition.

A key factor is the limited authentication used by older passive entry systems. Many models confirm only that the signal is valid and correctly timed. They do not perform detailed distance checks. As a result, the car accepts a relayed response because the message arrives in the expected format, even though the fob is nowhere near the vehicle.

Low power beacon behaviour increases vulnerability. The fob transmits frequent, predictable signals to conserve battery life while maintaining availability. These short bursts are easy to capture when criminals use sensitive receivers that detect low strength transmissions through walls, doors or windows. Once the signal is collected, the relay chain extends it to the car with enough strength for the system to treat it as authentic.

These design choices support quick, seamless access for the driver, yet they also create the conditions that make long range relay attacks possible.

How Signal Boosters Extend Your Fob’s Range Across the Street

Relay devices work by capturing the low strength radio signal from a key fob and transmitting it to a second unit positioned beside the vehicle. These devices are built from hardware that is easy to obtain and simple to configure. Criminals often use compact receivers based on software defined radios because they can detect weak signals on the same frequency bands used by most passive entry systems. The hardware does not need to understand the encrypted data. It only needs to capture the radio energy and forward it without altering the contents.

Most key fobs operate in the 315 megahertz or 433 megahertz bands, while many European models use 868 megahertz. These frequencies travel well through walls and windows when amplified, which makes them suitable targets for relay equipment. The first device sits near the key inside the home and listens for periodic transmissions. Once it detects the beacon, it sends the captured signal through a wired or wireless link to the second device. The link often uses WiFi, Bluetooth or a simple radio channel, depending on the design of the relay kit.

The second device functions as the transmitter near the car. It recreates the fob’s signal at higher strength so the vehicle believes the key is within range. When the vehicle sends back its challenge message, the process reverses. The message travels from the car through the transmitter to the receiver near the key. The key responds automatically, and the reply is forwarded back through the relay chain. Each step occurs fast enough that the vehicle recognises the timing as normal.

This setup allows criminals to extend the effective range of a key fob from a few metres to tens of metres or more. The devices do not break encryption or generate fake codes. They simply move the conversation between the car and the key across a much larger distance, which gives the thieves full access even when the owner is inside the house or on another floor entirely.

Why Your Car Unlocks Without Knowing You Are Nowhere Near It

Keyless entry systems rely on a simple presence check rather than a full distance verification process. When a car sends out a query, it waits for a response that matches the timing and structure expected from the correct key. If the reply arrives within that window, the vehicle assumes the key is close enough to unlock the doors and enable the start button. The system does not confirm physical distance. It only confirms that the signal looks genuine and arrives quickly enough to fit the expected pattern.

This behaviour exists because early passive entry systems were designed around convenience, not security. Engineers assumed the limited range of the fob’s low power signal would act as a natural barrier. They expected that a driver would always be within a few metres of the vehicle before a query could reach the key and return a valid reply. The protocol therefore checks legitimacy but not origin. It authenticates the key, not the location.

Relay devices exploit this gap. They extend the range of both the car’s query and the key’s response, delivering each message fast enough that the timing appears normal. The car sees a valid reply and interprets it as proof that the key is nearby. The system has no information telling it that the signal travelled through multiple devices or that the key was actually inside a house across the street.

More secure systems use additional hardware to estimate distance by measuring signal characteristics such as arrival time or power level. Many older vehicles lack this capability, and even some newer ones rely on protocols that do not perform these checks consistently. The result is a system that provides quick access for owners but can be tricked easily when its assumptions about distance are removed.

The Difference Between Relay Attacks and Code Grabbing

Relay attacks and code grabbing are often mentioned together, yet they work in completely different ways. Relay attacks extend the communication between the key and the car without changing any part of the signal. Code grabbing attempts to record and reuse the signal itself. Understanding the difference helps drivers recognise why some cars are vulnerable to one method and not the other.

In a relay attack, the thieves do not intercept or decode the key’s transmission. They simply move it over a longer distance. The relay devices act as a bridge between the car and the key, forwarding each message in real time. The encryption remains intact and the codes remain genuine. The attack succeeds because the vehicle believes the key is physically close when it is not.

Code grabbing targets older systems that rely on fixed codes or poorly implemented rolling codes. When a driver presses the unlock button, the fob sends a command containing a specific code. Criminals with a receiver can capture that code as it is transmitted through the air. If the system uses fixed codes, the attacker can replay the captured signal later to unlock the car. If the system uses a basic rolling code, certain weaknesses allow a skilled attacker to block the original signal, record the next code in the sequence and use it after the owner walks away.

Modern passive entry systems are difficult to code grab because the communication is encrypted and tied to a challenge response process. That is why criminals prefer relay attacks. Relay equipment does not need to break encryption or understand rolling code sequences. It works by extending the distance over which the legitimate authentication takes place.

The two attacks therefore exploit different weaknesses. Code grabbing relies on outdated or insecure fob protocols. Relay attacks exploit the assumption that a genuine signal means the key is nearby. Both methods result in unauthorised access, but the underlying mechanism and the vulnerabilities involved are not the same.

How Criminals Clone Your Key Using Rolling Code Weaknesses

Key cloning through rolling code weaknesses affects older factory systems and some aftermarket alarms that skip strong encryption. These fobs generate a new code each time a button is pressed. The car expects that code to match the next value in a secure sequence. When implemented correctly, this prevents simple replay attacks. When implemented poorly, it creates openings that allow criminals to record and predict future codes.

Legacy systems with fixed codes are the easiest targets. These fobs transmit the same command every time. Criminals capture that transmission with a basic radio receiver, then replay it later to unlock the car. No decoding is required. The fob broadcasts a static pattern, and the attacker simply uses that pattern again.

Early rolling code systems added complexity, but many lacked proper protection against signal blocking. In these cases, an attacker can intercept the signal when the driver presses the button. The criminal uses a jammer to stop the car from receiving the code, so the doors remain locked even though the driver believes they are secure. The attacker stores that first code, waits for the driver to press the button again, captures the next code, and then uses the first stored code to gain entry. The car accepts the code because it appears to be the next expected value.

Some aftermarket systems use rolling codes without full encryption or without proper synchronisation checks. These systems may accept a range of future codes rather than a precise sequence. Criminals exploit this by capturing several transmissions, analysing the pattern and producing a valid code that the vehicle will accept. The attacker does not need to break high level encryption. They only need to predict a value that falls within the accepted range of the system.

These weaknesses remain a problem in older cars and in newer vehicles fitted with cheaper aftermarket alarms. The vulnerabilities arise from incomplete encryption, poor sequence management or the ability to block the fob’s signal without triggering an alert. Criminals use these gaps to clone the fob or generate a code that the system treats as authentic.

The Role of Bluetooth, NFC and UWB in Modern Key Systems

Modern key systems no longer rely solely on traditional radio frequencies. Many cars now use Bluetooth, near field communication and ultra wideband to improve convenience and security. Each technology behaves differently, and the way it measures distance or handles authentication affects how resistant it is to relay attacks.

Bluetooth Low Energy is used in smartphone based digital keys and some advanced fobs. It provides a steady connection with low power consumption, but it does not measure distance with high precision. Bluetooth signals can be relayed the same way traditional fob signals are relayed. A relay device can capture the Bluetooth packet and forward it to a second device near the vehicle. The car sees a valid packet and assumes the authorised phone or fob is nearby. Bluetooth improves convenience but offers limited protection against long range signal extension unless paired with additional hardware that checks signal characteristics.

NFC behaves differently. It requires extremely close contact between the fob or smartphone and a dedicated sensor, usually within a few centimetres. The short operating range makes it far more difficult to relay because the signal strength drops sharply with distance. NFC keys are often used as backup entry systems. They reduce the risk of long range attacks, but many cars still rely on traditional radio frequencies for passive entry, so NFC alone does not eliminate relay vulnerabilities.

Ultra wideband provides the strongest defence. UWB sends out very short pulses across a wide frequency range and measures the precise time it takes for those pulses to travel between the car and the key. The system uses those measurements to calculate distance accurately enough to detect relay attempts. If a relay device forwards the signal, even with minimal delay, the timing changes. The car recognises that the key is not physically close and refuses to unlock or start. This distance checking makes UWB highly effective at reducing relay range and preventing thieves from extending the key’s signal across the street.

These technologies create different levels of exposure. Bluetooth and traditional radio systems remain vulnerable to relaying unless supported by stronger distance checks. NFC limits exposure through physical proximity. UWB provides the most reliable protection because it verifies distance rather than assuming proximity.

Why Some Cars Are Attacked More Than Others

Thieves do not pick cars at random. They target models where the wireless entry system is easy to abuse, the antenna layout is forgiving, and the car itself is valuable to strip or ship. That mix of electronics and economics explains why some owners get hit repeatedly while others barely hear about relay theft outside the news.

Antenna design is a major factor. Many popular cars use several antennas around the body so the car can sense the key near any door or the boot. A wide detection zone is convenient for the driver, but it also means a relayed signal does not have to be very precise. If the car accepts a strong signal at any one of those antennas, it will usually unlock and arm the start button. Models with more sensitive receivers or broader antenna coverage give criminals a larger window in which a boosted signal will work.

Fob broadcast strength also changes risk. Some keys send relatively strong low power beacons so the car can detect them through pockets, bags and light building materials. That makes life easier in a supermarket car park, and easier again for a thief standing on the footpath with a relay receiver. Tests by the German club ADAC found that the vast majority of cars with passive entry could be opened and driven away with a simple relay kit, and that only a small fraction of newer models had effective countermeasures in place.

Independent testing and insurer data show that specific models are heavily targeted. A Which summary of UK tests reported that best sellers such as the Ford Fiesta, Volkswagen Golf, Nissan Qashqai and Ford Focus were all vulnerable to relay attacks when fitted with keyless entry, while a simpler Vauxhall Corsa without that feature resisted the same technique. UK theft figures and DVLA data highlight premium or high demand keyless models such as Lexus RX and ES variants as frequent targets, in part because their parts and complete vehicles command strong resale value. In Australia, police and insurers list models such as Toyota RAV4, Hilux, LandCruiser and Camry near the top of theft charts, many of which are sold with push button start and passive entry in higher trims.

Insurance data also shows that keyless cars attract a disproportionate share of organised theft. Admiral, the largest motor insurer in the United Kingdom, reported that between 60 and 70 percent of cars stolen from 2023 to 2024 were keyless models, even though keyless systems do not account for the same share of the total fleet. Industry groups and insurers note that gangs pick cars that are common on the road, desirable in export markets and easy to move through chop shops, then refine their tools for those electronics rather than spreading effort across every model.

Model specific vulnerabilities round out the picture. Some older keyless systems lack any form of distance measurement, so they accept any valid fob response that arrives within a simple timing window. Others do not rotate encryption keys as aggressively as current best practice, which makes them easier to abuse through relay or replay equipment. Newer vehicles that add ultra wideband distance checks, stronger crypto and better antenna zoning present a harder target, so criminals tend to leave them and focus on cars whose radio design still treats signal authenticity as proof of physical proximity.

Why Manufacturers Are Struggling to Fix the Problem

Manufacturers are caught between customer demand for effortless access and the cost of redesigning security from the ground up. Keyless entry and push button start sell cars, so removing or downgrading these features is not attractive. At the same time, industry tests keep showing that most current systems still fail basic relay attack checks. German club ADAC found that by mid 2023 only 44 out of 616 tested keyless models blocked relay attacks, which is just over seven percent of the total. 

The industry has known about the weakness for years. Security researchers warned more than a decade ago that keyless technology could be subverted so that owners would find cars gone with no visible damage, yet large parts of the market continued to ship systems that rely on simple proximity assumptions rather than hard distance checks.  Once those systems are in circulation, they stay on the road for a long time. Retrofitting millions of existing cars with new hardware is expensive, so many brands limit upgrades to software tweaks or revised fobs for newer models.

Suppliers and insurers are pushing for stronger designs, but even those moves highlight the gap. Thatcham Research worked with car makers to create a security rating that includes relay theft resistance, then publicly urged brands to bring keyless technology to market in secure form and remove the burden from drivers to add their own protection.  Progress is visible in a small number of newer cars with motion sensor fobs or ultra wideband keys, yet large volumes of current production still rely on older chipsets and protocols that lack precise distance checks.

Chip supply and cost also slow change. Ultra wideband hardware and more capable security controllers add complexity and price. Premium models such as recent BMW iX variants now use ultra wideband to make relay attacks much harder, and have been praised in ADAC testing for that reason, but this approach has not yet reached most mass market cars.  Manufacturers must balance security upgrades against tight margins, existing supplier contracts and the need to certify new electronics across global markets.

Legal and insurance pressure is starting to rise, which exposes how uneven the response has been. A recent case involving the Hyundai Ioniq 5 shows a driver pursuing legal action after his electric car was taken in seconds using an electronic device, with Hyundai describing the issue as an industry wide problem rather than a model specific fault.  Insurers in the United Kingdom and Australia now link keyless systems directly to rising theft figures and warn that relay tools can be bought easily online, which pushes manufacturers to act yet again highlights how long insecure designs have stayed in circulation. 

In practice, that leaves a split fleet. A small but growing group of newer cars uses motion sensing fobs, ultra wideband distance checks and better antenna zoning. The much larger group still depends on legacy keyless systems that treat any valid signal as proof that the key is nearby. Until that balance shifts, manufacturers will continue to face the same basic problem: the convenience feature that helps sell the car also gives organised thieves a reliable wireless entry point.

The Signs Your Car Has Been Targeted

Most relay attacks leave no broken glass, no damaged locks and no obvious trace around the car. The evidence is usually subtle, which is why many owners assume they forgot to lock the doors. Recognising small changes in how the car behaves can help you spot when someone has probed your keyless system rather than dismissing it as a memory lapse.

One of the first signs is a cabin that looks slightly disturbed even though nothing is missing. Items in the centre console, glovebox or door pockets may appear moved or opened, while valuable objects are still present. Thieves often carry out a quick search for keys, wallets or diagnostic tools before deciding whether to return later or move on to another target.

Another clue is the state of the car’s locks and mirrors. If you always fold the mirrors using the lock button and find them unfolded in the morning, or the car is clearly unlocked when you are certain you secured it, that can indicate remote access. Many relay attempts take place at night or in early morning hours when owners are unlikely to walk past and notice an unlocked car on the driveway.

Unexplained alarm activity is another warning. Repeated alarm triggers with no visible cause can mean someone is testing how the system responds, how long it sounds and whether anyone reacts. In some cases, thieves will approach the car with a relay device, unlock it, then withdraw quickly if interior motion sensors or tilting sensors activate. You may see missed alerts on a phone app or find the alarm history cluttered with entries you cannot explain.

Some owners notice small fuel or range changes that do not match recent trips. If the car has moved a short distance or has been started briefly, the fuel gauge or battery range can drop slightly without any record of a normal journey. This can happen when thieves sit inside the car to check whether the engine starts or whether they can engage gears, then abandon the attempt if they cannot move it safely.

These signs are easy to overlook because they rarely involve dramatic damage. When they appear together, especially on more than one occasion, they point to probing by someone who understands keyless systems and is testing how your car responds to remote access.

How to Protect Your Key Fob From Remote Attacks

Physical barriers remain the most reliable defence because they stop the signal from leaving your home in the first place. A Faraday pouch is the simplest option. These lined sleeves block radio signals when the fob is sealed inside, which prevents a relay device from waking the fob or forwarding its responses. Quality varies, so the pouch should be tested by placing the fob inside and confirming that the car no longer unlocks when you stand close to it.

A metal box provides the same shielding effect. Many owners use small tins or lockboxes near the front door to contain spare keys and daily use fobs. The enclosure blocks both the low power beacon and the short burst of data that forms the reply in the authentication process. As long as the lid is closed, the signal cannot escape and cannot be relayed.

Some newer fobs include a sleep mode that disables the beacon when the key has been still for several minutes. This reduces the chance of the fob responding to a query from a relay device outside the home. Owners usually activate this with a button combination, and the fob wakes again once it is moved. Sleep mode does not change the underlying protocol, but it limits when the fob can be accessed remotely.

Storage location matters as well. Keeping the fob near a window, a front wall or a door gives relay devices a shorter path to reach it. Storing the key deeper inside the house increases the distance and the number of barriers between the fob and the street, which reduces the effectiveness of the first relay device in the chain.

Using a combination of these methods provides the best protection. A Faraday pouch or metal box stops the signal completely, sleep mode reduces exposure when the fob is left untouched and careful storage placement makes it harder for criminals to reach the fob with a relay device. These steps remove the easy access that relay attacks depend on and significantly lower the chance of remote entry.

If you enjoyed this article, be sure to follow us on Microsoft Start.