Relay attacks break the assumption that a nearby signal proves legitimate presence. The vehicle accepts a relayed response from the real key as if it were local, which can let an attacker unlock or start the car without stealing the key itself. That is why proximity-based authentication needs anti-relay validation, not just stronger hardware branding.
Why This Matters for Security Teams
Relay attacks show that a convenient user experience can become a security boundary failure when the system treats proximity as proof of legitimacy. The car is not being “hacked” in the abstract sense so much as its trust model is being bypassed: the vehicle authenticates a signal path, not the person standing beside it. Guidance from NIST SP 800-53 Rev 5 Security and Privacy Controls is clear that controls must be selected to resist realistic threats, not just nominal ones.
For security teams, the practical issue is that relay attacks undermine both physical access control and the assumptions behind keyless convenience features. A stolen car is no longer the only concern. Attackers can exploit the radio handshake at the edge of the property, often without triggering obvious tampering alerts. That means alarm tuning, parking security, and owner behaviour all matter, not just the cryptography inside the fob. In practice, many security teams encounter relay risk only after repeated vehicle thefts have already occurred, rather than through intentional testing of the access path.
How It Works in Practice
Keyless systems typically rely on a short-range challenge-response exchange between the vehicle and the fob. In a healthy design, the car expects the credential to be physically nearby, and the signal characteristics help enforce that assumption. Relay attacks break this by extending the communication path in real time. One attacker stands near the vehicle, another stands near the key, and the radio exchange is forwarded fast enough that the car believes the key is present.
That changes the defensive model. Anti-relay protection is not just about encryption strength. It also depends on distance bounding, timing checks, motion sensing, user awareness, and where the key is stored. Some vehicles add ultra-wideband or other proximity-validation methods, but current guidance suggests there is no universal standard for perfect relay resistance yet, especially across mixed fleets and older models.
- Use physical key storage habits that reduce signal exposure, such as shielding when the vehicle is parked.
- Prefer vehicle models with explicit anti-relay features, not just passive entry convenience.
- Review whether the system supports timeout, sleep, or motion-based key suppression.
- Treat parking location, garage access, and key handling as part of the control design.
For a useful attack-pattern lens, the MITRE ATT&CK Enterprise Matrix helps teams think in terms of adversary access pathways, even though the vehicle domain is not a direct one-to-one mapping. These controls tend to break down when a relay can be performed from within a driveway, apartment car park, or shared garage because the attacker can remain close enough to sustain the signal path without raising suspicion.
Common Variations and Edge Cases
Tighter anti-relay controls often increase cost, user friction, and retrofit complexity, requiring organisations to balance convenience against theft resistance. The tradeoff is especially visible in fleet environments, where standardisation matters more than individual owner habits.
Not all keyless systems fail in the same way. Some support better distance validation, some rely on motion-activated fobs, and some still leave the vehicle open to simple relay tooling. Best practice is evolving, and there is no universal standard for how much timing tolerance is acceptable across vendors. That is why purchasers should ask for documented anti-relay behaviour rather than assuming “smart key” means “safe key.”
The identity-security intersection is real even here: the vehicle is effectively making an authentication decision about a non-human credential, and the weakness is comparable to poor secret handling in other automated systems. The OWASP Non-Human Identity Top 10 is useful for thinking about what happens when a credential’s possession and context are not sufficiently bound together. For broader threat awareness, CISA cyber threat advisories remain a good source for emerging attack techniques and defensive posture changes.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | Proximity-based access is an authentication control that must resist misuse. |
| OWASP Non-Human Identity Top 10 | NHI-01 | The vehicle key behaves like a non-human credential vulnerable to misuse. |
| NIST SP 800-53 Rev 5 | IA-2 | Authentication integrity is central when a relayed credential can be accepted as local. |
| NIST Zero Trust (SP 800-207) | AC-6 | Least privilege and explicit verification help when physical presence is spoofed. |
Verify that access decisions use more than signal presence and test anti-relay assumptions.
Related resources from NHI Mgmt Group
- What breaks when a vulnerable third-party component still has broad network and identity access?
- What breaks when privileged access is not continuously governed?
- What breaks when organisations copy legacy access into a new ERP system?
- What breaks when sandbox validation is separated from file access?