23rd September 2019

The continuing rise in relay theft, OEMs’ responses and trackers’ effective role

“Last week, I started keeping my car keys in the freezer, and I may be at the forefront of a new digital safety trend”, wrote Nick Bilton in the New York Times1 in April 2015, following his Prius having suffered no fewer than three ‘relay theft’ attempts using electronic devices.

This type of car crime has been attracting much more prominent and regular media coverage in recent years but, as Nick pointed out in his piece, “thieves have been breaking into and stealing cars with the help of electronic gadgets for several years now”, citing the theft of David Beckham’s BMW X5 in 2006 as the most famous case to date.

Following our own research, the theft of cars without any brute force using technology started to be more prevalently reported from 2012, with articles such as “High tech car theft: 3 minutes to steal keyless BMWs” appearing in publications such as CSO, the security and risk management news, analysis and research platform2a.

This followed a study presented at the Network and Distributed System Security Symposium in San Diego in February 2011, as previewed by Technology Review2b, which stated that “car thieves of the future might be able to get into a car and drive away without forced entry and without needing a physical key”. Three professors and researchers at ETH Zurich were able to intercept and relay the signals from all ten cars they evaluated at the time, their various types of cryptography and key protocols posing no hurdle.

Trak Global Group has discussed the subject of vehicle relay theft previously on our blog, including a focus on the concerning widespread access to specific kits that can be purchased online, even from mainstream auction and ecommerce sites, with one objective in mind.

What is car ‘relay theft’?

As a recap3, the ‘relay theft’ method is based on the principle that keyless fob systems for opening and starting vehicles operate on a passive basis, with a signal emitted at all times. Attacks typically involve two perpetrators, one who holds a listening receiver device close to a property in order to detect any signals from key fobs inside, which are then relayed electronically to another gadget operated by the accomplice. By fooling the car into thinking that the key and hence an authorised driver is physically close by, its doors can be opened and the engine started without raising an alarm or activating any immobiliser system.

Technology trickle-down reinforces motorists’ exposure

While it’s true that the majority of reported instances initially involved luxury, prestige or otherwise relatively more expensive vehicles that were in the minority, natural progression in the automotive industry has seen more popular car models become available with keyless entry and start systems, which are now even standard on many of them.

In today’s car market, examples from the whole spectrum of models from relatively humble city cars such as the Hyundai i10 and Kia Picanto and hatchbacks including the Vauxhall Astra and Volkswagen Golf, through to premium models like the Maserati Ghibli, all feature keyless entry as standard or on their options lists, showing how accessible this technology now is to all motorists, young and old, affluent and less so.

Recent security tests prove concerning

We always welcome any additional tests introduced relating to safety and security and were pleased to learn of Thatcham Research’s new security rating scheme4, which commenced this spring, based on evaluating current and new models before assigning each to one of five categories ranging from superior to unacceptable.

It’s fair to say that consumers have a right to assume that even manufacturers of the most affordable cars on the market will be taking measures to ensure that their models are as secure as possible. While newcomers such as the all-electric Audi e-tron SUV and revised Land Rover Evoque received a ‘superior’ rating by Thatcham Research, we and many others found it extremely disappointing that the Suzuki Jimny was deemed ‘unacceptable’ and the Toyota Corolla Hybrid, advanced hydrogen-powered Hyundai Nexo, new Kia ProCeed and even the Lexus UX were rated ‘poor’.

Particularly for the alternatively-fuelled vehicles (AFV) cited, this new test identifying that their keyless entry systems are susceptible to relay attack is incomprehensible, but it must be stated that the Jimny’s problem is its lack of security features and options, with keyless entry/start unavailable.

The SMMT, however, criticised Thatcham Research’s new vehicle security ratings scheme on the basis that it doesn’t take into account different trim levels and specifications and therefore fails to compare like for like in a fair way. Their arguments are appreciable, but security should be something all OEMs work hard to uphold. While it’s true to an extent that the new tests may make criminals’ activities easier in terms of focussing their attention, they must surely be of benefit for car buying and leasing customers plus fleets to weigh up when choosing models.

An unabated trend with prestige models particularly at risk

Vehicle tracking company data5 published in Q1 2019 identified that three years ago 66% of stolen vehicles equipped with one of the firm’s devices were subjected to relay theft, and this figure rose sharply to 80% by 2017 before increasing again to 88% during 2018. Mercedes-Benz models accounted for four of the top ten cars stolen by hacking their keyless entry systems, while the BMW 3 Series and X5 have also consistently appeared in recent years’ rankings.

The Office for National Statistics (ONS)6 paints the same picture, which is unsurprising to Trak Global Group based on our own pioneering work in the telematics and vehicle tracking markets, with UK car theft in general rising 9% during 2018, while the Association of British Insurers (ABI) reported an 11% increase in claims, undoubtedly fuelled by the proliferation of relay attacks.

Jaguar Land Rover models customarily demonstrate robustness when it comes to security tests, though, with Thatcham Research’s findings echoed by the German Automobile Club (ADAC), which assessed 237 models and found all JLR examples to be completely secure to relay attacks.

However, tests by What Car? magazine7 highlighted that some current models including the DS 3 Crossback and MY18 Land Rover Discovery can be hacked and stolen within just ten and thirty seconds respectively, which we feel will only add to consumer confusion, making it more vital than ever that common sense precautions are taken no matter the make and model.

Tesla cars, known for their tech-first approach, have been featuring in an increasing number of UK headlines7b regarding relay theft, but Electrek7c recently highlighted a report from the Highway Loss Data Institute in the States that identified that Tesla vehicles are around 90% less likely to be stolen compared to the average car.

Statistics from the FBI’s National Crime Information Center data released by the National Insurance Crime Bureau impressively found that 112 of the 115 Tesla cars stolen in America from 2011 until May 2018 were recovered, but it’s a different story in Europe where more advanced technology is being used to steal these EVs. Reassuringly, Tesla has been quick to address these concerns by introducing an optional ‘PIN to Drive’ function alongside additional security layers with strengthened cryptography.

Trackers are incorporated in Tesla cars by default and now require each vehicle’s account password to be entered to deactivate GPS tracking, which is a move we welcome. The driver’s phone can be used to pinpoint the car’s location, which can also be ascertained by Tesla’s team. While it’s true that the on-board SIM card can be removed and that real-time updates are only transmitted when a Tesla is moving, the time will come when a Tesla is hopefully immune to electronic theft entirely, and such cars typically being parked in garages overnight also reduces their exposure.

Steps for drivers to combat relay theft

The RAC8 urges all drivers to ensure that their vehicles’ software, firmware and other systems are all up to date, as car thieves seek to exploit vulnerabilities in the same way they do with personal and business computers.

Mark Godfrey, the RAC’s insurance director, suggests storing car key fobs in protective ‘faraday’ cases that are readily available at very affordable prices and essentially block the signal being intercepted.

Preventative measures of a more physical and perhaps old-fashioned nature can also be taken, such as using a steering wheel lock that would prevent anyone from being able to drive the vehicle away even if they were to gain entry.

Placing keys well away from front doors, windows and other property entry points is also a very sensible and simplistic precaution to take, as opportunistic car thieves keenly exploit easy targets.

With criminals deploying all manner of increasingly sophisticated technology to steal cars, including gaining entry and then plugging a laptop or other device into a vehicle’s on-board diagnostic (ODB) port9 in order to disarm the alarm and immobiliser and start the ignition, fitting a tracker is also a highly recommended measure, especially for high value, leased, rental or company fleet vehicles.

As a technology, insurance solutions and mobility pioneer in the automotive space, Trak Global Group has experienced continuously increasing year-on-year demand for its vehicle tracking solutions and works closely with motor insurers to assist in the location and recovery of cars and vans taken without consent.

What can vehicle manufacturers do?

The San Diego researchers mentioned earlier found that relay theft often proves technically possible as far as eight metres away from a car’s key fob and that they were relatively easily able to prevent signals from being converted cyclically between analogue and digital in order to circumvent cars typically being programmed to deny unlocking and starting if the key signal takes too long to be received.

We agree with their recommendation that OEMs should equip key fobs with buttons or other ways of enabling drivers to activate and deactivate them to obstruct thieves exploiting the passive and hence more vulnerable approach that most systems operate with. It’s true, though, that placing another step in a motorist’s user experience will obviate the very convenience aim of keyless entry and ignition technology, so balance will need to be struck.

Criminality aided by technology evolves swiftly in reaction to moves by the original developers of devices, cars and all manner of other objects, so the onus is ultimately on vehicle manufacturers to ensure that cryptography and other security measures are as robust as possible. If this means that literally every model will need to meet certain minimum stipulations, which in turn translates into slightly higher car prices, this is surely a compromise worth accepting rather than conceding that complex car crime has become the norm.

Dr Ken German, a high-profile figure in the automotive space, recently published a fascinating piece on The Telegraph’s10 website entitled ‘The fightback against car thieves who copy remote-control signals begins now’. It reveals that relay theft is additionally now being used to open electronic garage doors and also to steal motorbikes, quad bikes, electric bicycles plus other electrically-powered machines and tools.

Car manufacturers, Dr German explains, have always had a duty to devise and supply dealerships with equipment and devices for fixing malfunctions that develop and performing recalls, and such newly-introduced tools and technologies are falling into the hands of anyone willing to pay the relevant price, including criminals.

‘Bug hunting’ for hidden devices

One anti-crime measure being adopted in the UK is ‘bug sweeping’, a technique that has increased tenfold over just the last two years in professional terms, whereby hidden GPS tracker devices illegally installed in vehicles are detected and ultimately removed. Consumer debugging kits are also now widely available to help concerned motorists detect any unusual Wi-Fi or SIM card activity, but it’s worth noting that they generally just detect suspicious installations rather than help intercept or block them.

Trackers play a key role in combatting vehicle theft

Dr German also explains that “the police have relied heavily on the tracking device to recover stolen vehicles quickly” and, as a leader in the tracker and telematics field, Trak Global Group would concur with his comment that recovery rates tend to be in the 90-95% band, which we regularly see on a first hand basis being welcomed by police forces and indeed private motorists, leasing and rental companies and fleet managers.

Commendable moves by Ford in response to relay attacks

We are very encouraged by the strides Ford is making in ensuring that its popular models are as secure as possible, with the new Fiesta and Focus now equipped with an upgraded wireless fob featuring ‘sleep mode’11 that is activated if movement isn’t detected by the in-built motion sensor for more than 40 seconds. We feel that this relatively simple innovation certainly seems logical and will prevent relay theft occurring while key fobs are left on hallway tables and in coat pockets. Replacement fobs costing £65-72 will be offered to existing drivers of these two models purchased before the new feature was introduced.

While it’s fair to say that well-funded or technologically-savvy criminal organisations will continue to react to new systems and find ways to exploit them, the automotive, insurance and other sectors are highly conscious of the rise in relay theft, and it’s conceivable that steps similar to Ford’s sleep mode will be implemented by many more OEMs. In the meantime, of course, common sense security measures are recommended, as they indeed always will be.

Sources:

1. https://www.nytimes.com/2015/04/16/style/keeping-your-car-safe-from-electronic-thieves.html

2. https://www.csoonline.com/article/2222742/high-tech-car-theft–3-minutes-to-steal-keyless-bmws.html

2b. https://www.technologyreview.com/s/422298/car-theft-by-antenna/

3. https://www.thatcham.org/relay-attack/

4. https://www.thisismoney.co.uk/money/cars/article-6834267/New-rating-reveals-models-no-anti-relay-theft-security-measures.html

5. https://www.independent.co.uk/life-style/motoring/keyless-car-theft-models-most-stolen-and-recovered-2018-a8798291.html

6. https://www.express.co.uk/life-style/cars/1122322/car-theft-stolen-keyless-entry-hack-your-cars-risk

7. https://www.bbc.co.uk/news/business-49273028

7b. https://www.thesun.co.uk/news/9773704/thieves-steal-keyless-car-30-seconds/

7c. https://electrek.co/2019/08/01/tesla-vehicles-stolen-less-than-average-car/

7d. https://cleantechnica.com/2019/08/08/why-is-a-tesla-so-hard-to-steal/

8. https://www.rac.co.uk/drive/advice/know-how/car-hacking-and-key-hacking/

9. https://www.mirror.co.uk/money/rise-keyless-car-thefts-experts-18945820

10. https://www.telegraph.co.uk/cars/comment/fightback-thieves-copy-remote-control-signals-begins/

11. https://www.driving.co.uk/news/ford-claims-new-key-fob-sleep-mode-prevents-keyless-car-thefts/