Real-World Car Theft: Attack Surface Analysis

Car theft is evolving fast. As vehicles become smarter and more connected, thieves are getting smarter too. Today, stealing a car doesn’t always mean breaking a window or hot-wiring the ignition - in many cases, it can happen without even touching the vehicle.

Keyless entry systems, connected apps, and onboard diagnostics have made driving more convenient, but they’ve also introduced new attack vectors. We’ll explore how real-world attackers are taking advantage of modern vehicle technology to bypass security systems and steal cars - often in minutes, and sometimes remotely.

The insights you're about to read are powered by the PCA Threat Intelligence Collection and Analysis Platform, which continuously collects and analyzes amounts of data from diverse sources globally. This allows PCA to provide a comprehensive and up-to-the-minute understanding of the evolving automotive threat landscape, directly informing the strategies you'll see employed by today's most sophisticated car thieves.

 

RF and Keyless Entry Attacks

These RF-based attacks target the radio link between your key fob and the car:

• Relay Amplification (Passive Keyless Entry exploits): In this classic attack, thieves use two radio devices to relay signals between your car and key fob. One thief stands near the car and captures the low-frequency “wake-up” signal that the car continuously emits; they then transmit it to a second device near the owner’s key fob. Relay attack kits have been found for sale on underground forums and even Telegram channels, making this attack widely accessible to criminals.
• Signal Jamming (Lock Blocking): Another simple tactic is jamming the RF signals when the owner tries to lock the car. Thieves use a portable radio jammer (often an SDR like a HackRF or a crude continuous transmitter) to overwhelm the key fob’s signal. The owner presses “lock” on their fob, hears no alarm, and assumes the car locked – but the jammed command never reaches the vehicle. The car remains unlocked, allowing the thief to simply open the door and take what they want (or proceed to further attacks). This has been observed in public parking lots where a thief lurks nearby with a jammer.
• Rolling Code Replay (Desynchronization attacks): Modern fobs use rolling codes to prevent replay attacks – but flaws in their implementation can be exploited. An attacker first captures a valid radio code, replays it out of sequence to desynchronize the fob, then captures the owner’s resync attempts. With those new codes in hand, the attacker can replay them to unlock and start the car.
• Key Fob Cloning via Cryptographic Flaw (“Game Boy” device): Criminals use a device disguised as a Nintendo Game Boy to exploit weak DST80 implementations in Hyundai/Kia vehicles. By capturing a challenge-response exchange, the device cracks the 24-bit key in under 2 minutes and emulates a valid key to unlock and start the car.

Attacks on New Technologies

In recent years, car manufacturers have adopted technologies like NFC, Bluetooth Low Energy (BLE), and Ultra-Wideband (UWB) to enhance keyless entry systems. While these were intended to improve security, researchers have demonstrated practical attacks across all three. In 2020, hackers used a smartphone app to perform an NFC relay attack on Tesla by relaying communication between the vehicle and a key card over Wi-Fi. Later, BLE relay attacks were shown to bypass Tesla's protections by introducing slight timing delays in encrypted BLE connections, while others exploited flaws in phone key pairing protocols to register rogue devices. Even UWB, designed to resist relay attacks through precise distance measurement, was shown to be vulnerable to “selective overshadowing” — a technique that spoofs proximity by manipulating signal power in real time. Despite these technologies, vehicles remain at risk when implementations are incomplete or fallback mechanisms are insecure.

CAN Bus Injection Attacks

Once thieves get physical access to the car, the next target is the car’s internal network. The Controller Area Network (CAN bus) connects critical electronic control units (ECUs) – and if attackers can tap into it, they can impersonate trusted devices. Modern car thieves have developed stealthy CAN injection tools that make this possible.

One notorious example involves a small electronic device hidden inside an innocuous object (like a portable speaker). Thieves covertly plug this device into an exposed CAN wiring junction on the car – for instance, behind a headlight assembly or another external light where the CAN wires are accessible near the edge of the vehicle.

Once connected to the car’s CAN bus, the rogue device mimics the messages of an authorized ECU. It  floods the bus with a burst of CAN messages declaring “a valid key is present” or instructing specific actions like unlocking the doors.

OBD-II and Diagnostic Interface Exploits

Another favorite target for car thieves is the On-Board Diagnostics (OBD-II) port and related diagnostic functions. The OBD-II port is a standardized interface (usually under the dashboard) that gives access to the vehicle’s internal networks and ECUs for maintenance — and, if not secured, for malicious reprogramming. Attackers with physical access to the car’s interior can use this port to essentially reconfigure the car to accept their own key.

A concrete example: in the UK, a vehicle owner interrupted a theft in progress and later found a device plugged into their car’s OBD-II port. Upon analysis, it turned out to be a black-market “emergency start” module designed to defeat the engine immobilizer and start the car within seconds — no physical key needed. This is not an isolated incident; organized car theft rings often carry portable OBD hacking units that look like innocuous electronic gadgets.

Telematics and Backend Attacks (PKI/Cloud)

Not all car attacks require physical access — some target connected services. Modern vehicles often include telematics units and mobile apps that enable remote lock/unlock, engine start, GPS tracking, and more. These features depend on communication between the car and backend servers. If those communications or APIs are insecure, attackers can potentially send malicious commands over the internet.

In late 2022, a group of white-hat hackers (led by researcher Sam Curry) systematically analyzed many automakers’ mobile app and telematics APIs. They discovered a raft of logic flaws that allowed remote access to vehicles. In one case, knowing the VIN was enough to remotely control vehicles from multiple brands including Kia, Honda, Nissan, Acura and others.

Conclusion

From wireless key fob hacks to CAN bus injections and cloud API exploits, real-world car theft techniques now span both physical and digital attack surfaces. We’ve seen criminals amplify RF signals to open cars from afar, jam and replay codes to trick vehicles, plug in illicit devices to OBD ports to program new keys, and even exploit backend systems to remotely unlock cars over the internet. Each method targets a different layer of the automotive ecosystem – but all have been demonstrated outside of labs, on actual vehicles. For Tier 1 suppliers and automakers, understanding these attack paths is crucial. It highlights why defense in depth is needed: secure wireless protocols, segmented and hardened CAN networks, strong authentication for diagnostics, robust cloud security, and faultless implementation of cryptography at every layer.