Subscribe to the Non-Human & AI Identity Journal
Home Glossary Cyber Security Relay Attack
Cyber Security

Relay Attack

← Back to Glossary
By NHI Mgmt Group Updated July 14, 2026 Domain: Cyber Security

A relay attack extends the communication path between a vehicle and its genuine key so the system believes the key is nearby. The attacker does not need to steal the key physically, only to forward the signal fast enough to satisfy the vehicle’s proximity check.

Expanded Definition

A relay attack is a proximity-bypass technique that exploits systems which trust short-range communication as proof of physical presence. In vehicle access, the attacker captures the legitimate key fob signal and forwards it to the car in real time, making the vehicle believe the key is nearby even when it is not. The attack does not require cryptographic breakage; it abuses the distance assumption built into the access control design.

For security teams, the important distinction is that a relay attack is not the same as key cloning, credential theft, or brute-force entry. The weakness is environmental and architectural: the system authenticates the signal, but not the actual location of the credential holder. Guidance varies across vendors on how much protection is gained from passive key storage, motion-sensing fobs, or radio shielding, because no single standard fully resolves the proximity problem. For a baseline control reference, NIST control language on access enforcement in NIST SP 800-53 Rev 5 Security and Privacy Controls is useful when translating proximity-based trust into governance requirements.

The most common misapplication is assuming a keyless entry system is secure simply because the credential is encrypted, which occurs when proximity is treated as proof of legitimacy.

Examples and Use Cases

Implementing anti-relay protections rigorously often introduces convenience and hardware tradeoffs, requiring organisations to weigh user friction against stronger assurance that the authenticated device is actually present.

  • Vehicle theft teams use a relay device outside a home and a second device near the victim’s key fob to unlock and start a car without touching the fob.
  • Some organisations issue staff with vehicles or secured fleet access systems and then require faraday pouches or motion-sleep key fobs to reduce exposure to signal forwarding.
  • Security researchers demonstrate that proximity assumptions fail when access decisions rely on radio strength alone, even if the underlying credential remains valid.
  • Incident responders often compare relay attack patterns with other access bypass techniques documented in the MITRE ATT&CK Enterprise Matrix, while noting that ATT&CK covers broader enterprise techniques rather than vehicle-specific proximity abuse.
  • Threat intelligence teams may use CISA cyber threat advisories to track surrounding theft methods, especially where relay attacks are combined with physical compromise or follow-on intrusion.

Why It Matters for Security Teams

Relay attacks matter because they expose a failure mode in trust design: the system verifies a credential response but not the authenticity of the physical context it is supposed to represent. That makes them especially relevant wherever short-range trust is used as a convenience factor, including vehicles, access badges, IoT unlock systems, and some non-human identity workflows that depend on nearby device presence. The broader lesson is that proximity is not identity, and identity is not location.

For NHI and agentic environments, the same pattern appears when an autonomous software entity is allowed to act because a token or key appears reachable on the network, rather than because the request is constrained, time-bound, and context-checked. That is why proximity-style assumptions are increasingly discussed alongside Anthropic — first AI-orchestrated cyber espionage campaign report and broader AI abuse discussions, even though the relay attack itself is not an AI technique. Organisations typically encounter the operational cost only after an access bypass or theft event, at which point relay resistance becomes operationally unavoidable to address.

For teams building defensive context around emerging abuse patterns, the MITRE ATLAS adversarial AI threat matrix is relevant only as a comparison point for how security taxonomies describe abuse patterns, not as a direct relay-attack standard.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack surface, NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST SP 800-63 set the technical controls, and NIS2 define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-1CSF access control principles address how trust is granted and verified.
NIST SP 800-53 Rev 5AC-3Access enforcement controls help limit reliance on weak proximity assumptions.
NIST SP 800-63AAL2Digital identity guidance helps distinguish credential assurance from physical presence.
OWASP Non-Human Identity Top 10NHI guidance covers tokens and device identity misuse where context is weak.
NIS2NIS2 drives risk management for access systems that can be bypassed through relay abuse.

Pair authenticators with context checks when presence is part of the assurance model.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 14, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org