Theft Prevention Academy
Relay Attack Explained — How Thieves Steal a Keyless Car in Under a Minute
A relay attack is the single most common way modern keyless vehicles are being stolen in the UK in 2026. It uses two inexpensive devices, two people, and the vehicle's own factory security against you — and it takes well under a minute from approach to drive-away on most keyless cars. This article explains exactly how it works, which vehicles are most vulnerable, and which counter-measures genuinely defeat it — not "put your keys in a biscuit tin"-grade advice, but the concrete engineering that blocks the attack at source.
What a relay attack actually is
A relay attack is a signal-amplification attack against your vehicle's keyless entry and keyless start system. Your factory key constantly broadcasts a low-power RF signal identifying itself to the car. When the car detects the signal within ~1–2 m of the door, it unlocks; within ~1 m of the start button, it lets the engine start.
A relay attack uses two devices to extend that range from metres to tens of metres — or through the walls of your house. The car thinks the key is next to it; the key is actually on the hallway table where you left it.
How it works — step by step
Scout
One thief approaches your driveway with a pocket-sized relay transmitter near the car's door.
Amplify
A second thief stands near your front door or window with a relay receiver / amplifier, picking up the weak RF signal coming from your key inside the house.
Bridge
The two devices talk to each other (wired cable or radio), creating a live bridge between your key's signal and the car's antenna.
Unlock
The car sees the "key" and unlocks — still thinking the key is next to the door.
Start
The thief in the car presses the start button. The car checks for the key signal one more time, the relay bridge delivers it, and the engine starts.
Drive
Rolling code expires eventually, but the engine will continue running until it's switched off. The car is driven away.
Total elapsed time on most keyless vehicles: 30–90 seconds. No noise. No alarm. No broken glass.
Why factory keyless security can't stop it
The attack doesn't break the factory security — it uses it. The key is broadcasting a valid signal to a valid receiver through a valid challenge-response exchange. Nothing is spoofed. The only thing that's wrong is the physical distance, and the car has no reliable way to measure that.
Some newer vehicles include Ultra-Wideband (UWB) ranging that measures key proximity more accurately — Range Rover L460, newer Mercedes S-Class, some BMW i-models. UWB makes relay attacks harder, not impossible. Organised crews have already adapted tooling to several UWB implementations.
Which vehicles are vulnerable
Nearly every modern keyless vehicle has some exposure, but the following are particularly targeted in UK data:
| Class | Examples |
|---|---|
| Premium SUVs | Range Rover, RR Sport, Velar, Defender L663, BMW X5/X7, Mercedes GLE/GLS/G-Wagon, Porsche Cayenne |
| Performance saloons | BMW M3/M4/M5, Mercedes AMG C/E, Audi RS6, Porsche Taycan |
| Keyless vans | Ford Transit Custom Sport, VW Transporter T6.1, Mercedes Sprinter premium trims |
| High-value electric | Tesla Model S/X, Audi e-tron, Porsche Taycan, BMW iX, Mercedes EQS |
| High-spec mid-market | VW Golf R, Honda Civic Type R, Toyota Supra, Hyundai Ioniq 5 N |
Vehicles without keyless entry/start — typically older cars with a physical key blade only — are not vulnerable to this specific attack (they face different risks; see OBD port cloning).
What genuinely defeats a relay attack
Four counter-measures, ranked by real-world effectiveness:
Autowatch Ghost II immobiliser
Ghost II is an aftermarket CAN-bus immobiliser that holds the engine at the immobiliser stage until you enter a PIN sequence using buttons the thief doesn't know about (steering wheel, indicators, door, console). The relay attack still works — the thief can unlock the car and press the start button — but the engine will not run.
- It doesn't rely on you remembering to pouch the key.
- It doesn't rely on the key sleeping.
- It doesn't rely on the factory security's limitations.
- It actively prevents engine start at the immobiliser stage.
Thatcham S5 tracker
An S5 tracker doesn't stop the relay attack, but if Ghost II isn't fitted (or if the vehicle is ever lifted onto a transporter and driven away with external power), the S5's driver-recognition tag system detects unauthorised movement within seconds and the 24/7 ADR control room co-ordinates recovery. The strongest combined install for any vehicle worth relay-attacking: Ghost II + S5.
S5 InstallationKey with motion sensor disabled
Some keys (BMW, Mercedes, Range Rover) have a motion sensor that puts the key to sleep after ~30 seconds of inactivity. A sleeping key doesn't broadcast. Check your owner's handbook. Limits: relies on you leaving the key still long enough to sleep. Kitchen table next to a washing machine? No good.
Faraday pouch or metal tin
Blocking the key's RF signal when it's in the house stops the relay receiver picking it up. Limits: only works while the key is in the blocker. The moment you take the key out of its pouch, it's broadcasting again. If you forget once, the attack window opens.
What doesn't help
- Car alarms — Modern vehicles already have factory alarms; relay thieves don't trigger them because they're using a valid key signal.
- Steering locks and disc locks — Deter opportunists; organised crews carry angle grinders.
- Motion lights on the driveway — Organised crews don't care — most are done before anyone looks out.
- Parking "clever" — Helps marginally against tow-away, not against drive-away.
- Signs saying "tracker fitted" — No thief believes a sign.
- Factory telematics — ConnectedDrive, InControl, etc. Useful for convenience, not Thatcham-rated. Relay thieves disable connectivity quickly.
Frequently asked questions
How common is relay attack in the UK?
Very. Police data across West, South and North Yorkshire, and national-level data from UK insurers, consistently places relay attack as the dominant method of keyless vehicle theft from residential addresses.
How far can a relay attack reach through walls?
Typical effective distance is 10–25 metres between receiver and transmitter, often through brick walls. A key on a hallway table is easily within range of a receiver standing by your front door.
Does Faraday pouching my key completely stop it?
Only while the key is inside the pouch. If you forget once, the window is open. It's a useful supplementary measure, not a substitute for a Ghost II.
Will Ghost II stop every variant of relay attack?
Ghost II stops the attack at the immobiliser / engine-start stage, which is where every variant of relay attack has to pass through. As long as Ghost II is fitted and programmed, the engine will not run without the PIN sequence.
What if thieves just lift the car onto a flatbed?
Rarer but possible. That's where the S5 tracker earns its keep — inertia detection + driver-tag absence fires the ADR alert within seconds.
Do Ultra-Wideband keys solve this?
They reduce the attack window, particularly on new Range Rover L460 and some current Mercedes. They don't eliminate it — organised crews have adapted tooling. UWB is worth having; it isn't a substitute for Ghost II.
Are electric vehicles more vulnerable to relay attack?
No — EVs use the same keyless systems. Thefts of Tesla, Taycan, EQS, iX and Polestar via relay attack are documented routinely.
Which vehicle is the worst-affected?
Range Rover and Range Rover Sport top UK organised-theft statistics by volume. G-Wagon and AMG Mercedes are extreme per-vehicle-value cases. BMW M3/M4 are organised-crew favourites.
Book a security install
Send vehicle + postcode. We'll quote the stack, schedule a mobile fit, and send the Thatcham certificate the same day.