Theft Prevention Academy
Keyless Theft Explained — It Isn't One Attack, It's Three
"Keyless theft" is the term UK media and insurers use for thefts of push-button-start vehicles. It's useful shorthand but misleading — because keyless theft isn't one attack. It's three distinct methods, each exploiting a different weakness, each defeated by a different counter-measure.
Why "keyless theft" needs unpacking
When a UK insurer tells you "keyless theft is up" or a news article says "another keyless Range Rover stolen", the term hides the specific attack. That matters because if you don't know which attack your vehicle faces, you can't choose counter-measures properly.
A Faraday pouch defeats relay attack but does nothing for OBD cloning.
An OBD port lock box partially slows OBD cloning but does nothing for relay attack.
Key emulation / CAN injection bypasses both of the above.
Attack 1 — Relay attack (signal amplification)
- What it is: Two devices — one near your key indoors, one near your car — create a live bridge so the car thinks the key is next to it.
- What it needs: Your factory key broadcasting indoors, two thieves with relay equipment, and keyless entry / start.
- What defeats it: Faraday pouching the key; a key with motion-sleep enabled; Autowatch Ghost II (always).
- Prevalence: Highest-volume keyless attack in the UK.
Attack 2 — OBD port cloning (new key programming)
- What it is: Break a window, plug a coding tool into the OBD port, programme a blank key as authorised, start the engine.
- What it needs: An unattended vehicle, a broken window, 60–120 seconds with a coding tool.
- What defeats it: Autowatch Ghost II (reliably); an OBD port lock box (partially).
- Prevalence: Extremely high, particularly on Ford Transit, Sprinter and premium SUVs.
Attack 3 — Key emulation / CAN injection (the emerging third)
- What it is: A coding tool simulates a valid key signal — or injects commands directly into the vehicle's CAN bus from an accessible wiring point (e.g. headlight assembly).
- What it needs: Physical access to a CAN bus entry point.
- What defeats it: Autowatch Ghost II (because the injected commands still hit the immobiliser stage); a Thatcham S5 tracker for recovery.
- Prevalence: Rising, particularly on Toyota Hilux / Land Cruiser, Lexus RX.
Why it matters: Emulation/injection attacks defeat Faraday pouches AND OBD lock boxes.
Which attack targets which vehicle
| Vehicle class | Primary attack | Secondary attack |
|---|---|---|
| Range Rover / Defender | Relay | OBD cloning |
| BMW M-cars / X-series | Relay | OBD cloning |
| Mercedes AMG / G-Wagon | Relay | OBD cloning |
| Ford Transit / Custom | OBD cloning | Relay (Sport trims) |
| Mercedes Sprinter / Vito | OBD cloning | Relay |
| Toyota Hilux / Land Cruiser | Key emulation (CAN) | OBD cloning |
| Lexus RX / NX | Key emulation | OBD cloning |
| Tesla | Relay | Occasionally emulation |
Counter-measure by attack
| Counter-measure | Relay | OBD cloning | Emulation/CAN |
|---|---|---|---|
| Faraday pouch | Partial | ❌ | ❌ |
| Key motion sleep | Partial | ❌ | ❌ |
| OBD lock box | ❌ | Partial | Partial |
| Steering lock | Deterrent | ||
| Factory immobiliser | ❌ | ❌ | ❌ |
| Thatcham S5/S7 tracker | Recovery only | ||
| Autowatch Ghost II | ✅ | ✅ | ✅ |
| Ghost II + S5 tracker stack | ✅ Prev + Rec | ✅ Prev + Rec | ✅ Prev + Rec |
The combined install that addresses all three
For any keyless vehicle at meaningful risk — which is nearly every modern UK keyless car or van — the install that covers all three attack types is:
Thinkware Dash Cam
Parking mode provides evidence and deterrent for driveways.
Thinkware install →Bundle pricing available; typical full-stack install time 3.5–5 hours.
Frequently asked questions
Is keyless theft really one of the biggest UK crime categories?
Yes — UK police and insurer data consistently places keyless vehicle theft in the top tier of organised property crime.
Is my car keyless?
If you press a button to start it (rather than turning a key), yes. If your key unlocks by proximity, it's fully keyless.
Are older non-keyless cars safer?
From the three keyless-specific attacks, yes. Older cars face different risks — hotwire-style attacks, mechanical defeat of older immobilisers.
Can I ask my manufacturer to disable keyless?
Sometimes — some let a dealer deactivate keyless, requiring a fob button press. Reduces relay exposure; doesn't help with OBD or emulation.
What's the cheapest single upgrade I can make tonight?
A Faraday pouch. Use it every time. Not a full solution, but as a £15 measure it's worth having.
What's the most effective single upgrade?
Autowatch Ghost II installation. It addresses all three keyless attack variants at the point the engine tries to start.
If I fit Ghost II, do I still need a tracker?
If your insurer has required one, yes. If not, Ghost II alone is a reasonable choice for prevention-only.
Does my vehicle's factory security do anything?
It tries. Against well-equipped organised crews in 2026, factory security alone is routinely defeated.
Do electric vehicles face extra risks?
Same three attack types. No additional EV-specific risk from a keyless-theft perspective.
Will any of this affect my warranty?
No — Ghost II is non-invasive and CAN-listening; trackers are non-invasive hidden-fit.
Book a security install
Send vehicle + postcode. We'll quote the stack, schedule a mobile fit, and send the Thatcham certificate the same day.