{"id":8340,"date":"2026-05-15T10:41:21","date_gmt":"2026-05-15T14:41:21","guid":{"rendered":"https:\/\/www.autonocion.com\/us\/?p=8340"},"modified":"2026-05-15T10:44:35","modified_gmt":"2026-05-15T14:44:35","slug":"carmakers-security-flaw-driver-kitchen-foil","status":"publish","type":"post","link":"https:\/\/www.autonocion.com\/us\/carmakers-security-flaw-driver-kitchen-foil\/","title":{"rendered":"Carmakers Have Known About This Security Flaw Since 2011. Drivers Are Now Fixing It With $1 of Kitchen Foil"},"content":{"rendered":"

In suburbs around Atlanta, Phoenix and northern New Jersey, you can spot it on kitchen counters: a car key fob wrapped tight in aluminum foil, sitting in a bowl by the door. It is not paranoia. It is the cheapest working defense American drivers<\/strong><\/a> have against a wireless attack that the auto industry has known about, in peer-reviewed detail, since February 2011.<\/p>\n

The attack is called a relay attack. The first researchers to put it on the academic record were Aur\u00e9lien Francillon, Boris Danev and Srdjan Capkun at ETH Zurich, the Swiss federal institute of technology. They presented their paper, titled “Relay Attacks on Passive Keyless Entry and Start Systems in Modern Cars”<\/a>, at the Network and Distributed System Security Symposium on February 7, 2011. They tested ten different vehicles from eight manufacturers, ranging from compact cars under $30,000 to luxury sedans north of $50,000. Every model they tested was vulnerable.<\/p>\n

The handshake nobody designed for adversaries<\/h2>\n

Modern keyless cars rely on a system engineers call Passive Keyless Entry and Start, usually shortened to PKES. The mechanics are deceptively simple. A parked car broadcasts a low-frequency wake-up signal at roughly 125 kilohertz. If the paired key fob is within a meter or two of the door handle, the fob answers back on a higher ultra-high-frequency channel, 315 megahertz in North America and 433 megahertz across most of Europe and Asia. The car gets the right cryptographic response. The locks click open. The push-button start lights up. The driver never touched the fob.<\/p>\n

The whole protocol assumes that if the key and the car can hear each other, they must be close to each other. That assumption only holds when nobody is actively trying to break it.<\/p>\n

A relay attack inserts two cheap radio amplifiers into the conversation. One thief stands within a few feet of the front door, holding a device that picks up the car’s wake-up signal traveling outward and rebroadcasts it. The other thief stands by the car, catching the fob’s response and rebroadcasting that back. The key, sitting on the kitchen counter inside the house, behaves as if the car were one meter away. The car, sitting in the driveway, behaves as if the key were in someone’s hand at the door handle. Neither knows the actual distance has been stretched across an entire residential lot. The Swiss team demonstrated the attack working reliably up to 50 meters apart with no line of sight, using off-the-shelf components and modest amplification.<\/p>\n

What the Swiss paper said, and what it deliberately did not<\/h2>\n

The 2011 paper has been cited hundreds of times in the academic literature since publication, which makes it one of the most-referenced vehicle-security papers ever written. It is worth being precise about what the researchers were willing to put on the record.<\/p>\n

They deliberately did not publish the makes and models they tested. Their own explanation, in the paper itself, was that providing brand names would be less useful than describing how the underlying systems work, because the flaw lives in the protocol design and not in any one carmaker’s implementation. What they did say has held up cleanly fourteen years later: “Given the generality of the relay attack and the number of evaluated systems, it is likely that all PKES systems based on similar designs are also vulnerable to the same attack.” That is a load-bearing sentence. The flaw is structural. The fact that a given car uses AES encryption, or rolling codes that are mathematically secure, does not matter. A relay attack does not break the encryption. It just moves the encrypted messages through the air to a different place.<\/p>\n

Why crumpled aluminum actually shields anything<\/h2>\n

Wrap a key fob completely in aluminum foil and you have, in physics terms, built a small Faraday cage. The principle is older than the car: Michael Faraday demonstrated in the 1830s that an enclosed conductive surface protects whatever sits inside it from external electric fields, because the field induces currents that travel around the exterior of the conductor and cancel out on the inside.<\/p>\n

Aluminum is a strong conductor. Standard kitchen foil, wrapped with no visible gaps and ideally with two or three overlapping layers, attenuates signals in the 315 to 433 megahertz range by roughly 30 to 50 decibels. In plain English, that is a thousandfold to a hundred-thousand-fold reduction in transmitted signal strength, which is more than enough to defeat a relay amplifier sitting on the other side of an exterior wall. The fob can neither hear an incoming wake-up signal nor reply to one.<\/p>\n

The catch, and this is the part that most viral how-to videos gloss over, is the word “completely.” At 433 megahertz, the radio wavelength is around 69 centimeters. A pinhole, a torn seam or a poorly folded corner becomes, in electromagnetic terms, a small antenna. A sloppy wrap with visible gaps may attenuate the signal by 10 or 15 decibels rather than 40, which can be the difference between an attack failing and an attack succeeding. The trick works. It just demands more care than most people give it on the first try.<\/p>\n

Fourteen years and a patchwork of fixes<\/h2>\n

The auto industry has not done nothing in the years since the ETH Zurich paper. Ford rolled out a motion-sensing key fob<\/a> on the Fiesta and the Focus in 2019, with a built-in accelerometer that puts the fob to sleep after 40 seconds without movement. A sleeping fob does not respond to wake-up signals at all, which renders the relay attack inert against a key sitting on a nightstand or a kitchen counter overnight.<\/p>\n

Independent testing by UK insurance research body Thatcham, whose Consumer Security Rating<\/a> specifically grades vehicles against relay attack vulnerability, has tracked which manufacturers have applied fixes and which have not. In its 2019 and 2020 testing rounds, Thatcham awarded its top “Superior” rating to model-year vehicles that included the BMW 7 Series, BMW X7 and X6 M50d, the Porsche 911 and Taycan, the Audi e-tron, the Jaguar XE, the Land Rover Evoque and Discovery Sport, the Mercedes B-Class, the Mini Electric, the Ford Puma and Fiesta, and the Toyota Supra. All of those models either shipped with motion-sensing key fobs or used hardened wireless authentication. Tesla layered a separate PIN-to-Drive software feature back in 2018, which does not prevent a relay attack from unlocking the car but does prevent the thief from driving it off without the right four-digit code.<\/p>\n

In the same testing window, Thatcham assigned a “Poor” rating, specifically because of relay attack vulnerability, to the 2019 model-year Ford Mondeo, Hyundai Nexo, Kia ProCeed, Lexus UX, Toyota Corolla Hybrid, DS3 Crossback, Mazda 3, Toyota RAV4 and Volvo S60. Several of those models have since been updated, others have not, and many of those keyless cars are still in active use on American roads today. Trim level matters too: in some lineups, the keyless entry option is standard at higher trims but absent at the entry-level trim, so the same nameplate can be vulnerable in one configuration and safe in another.<\/p>\n

None of that adds up to a clean industry-wide fix. The retrofits have been model-by-model and trim-by-trim, the older keyless cars still circulating on American roads vastly outnumber the patched ones, and plenty of new vehicles still ship with the original constant-broadcast fob design. The protocol the ETH Zurich researchers warned about in 2011 is, in practical terms, still sitting under millions of American driveways tonight.<\/p>\n

The data gap nobody talks about<\/h2>\n

An obvious question is how often this is actually happening on US soil. The honest answer is that nobody publishing American crime statistics knows. The National Insurance Crime Bureau, the industry-funded body that tracks vehicle theft data, does not publicly break down stolen-vehicle reports by exactly how the cars were stolen, and the auto manufacturers themselves have publicly acknowledged that they do not track that information either<\/a>. Roughly 850,708 vehicles were stolen in the United States in 2024, down 17 percent from 2023 according to NICB’s annual report. How many of those thefts involved relay devices, Flipper Zero radio exploits, CAN-bus injection through the headlight wiring loom, or simply somebody finding an actual key left in the cupholder, is not a number any federal agency publishes.<\/p>\n

The pattern is conspicuous in the police advisories themselves. Nassau County Police on Long Island<\/a>, Cobb County Police in suburban Atlanta and Suffolk County Police across the rest of Long Island have all issued repeated warnings about local vehicle theft surges in recent years. Those advisories almost uniformly focus on the much more common scenario of drivers leaving fobs inside unlocked cars rather than on relay attacks specifically, in part because the granular split between those methods is not in the public statistics. That information vacuum, in 2026, is itself part of the problem.<\/p>\n

What is in the record is a July 20, 2022 letter<\/a> from Senator Edward J. Markey, Democrat of Massachusetts and a member of the Senate Commerce Committee, sent to 17 major automakers. Markey asked each manufacturer how many of its vehicles had been stolen between 2019 and mid-2022, how many of those thefts involved relay attacks specifically, what testing the company had done on its keyless systems, and whether it had considered motion-activated fobs or Ultra-Wide-Band technology as a fix. According to follow-up reporting by CBS News, the dozen manufacturers that responded all expressed commitment to theft prevention, but none could provide the specific theft numbers or methods Markey had asked for.<\/p>\n

The practical hierarchy if you actually need to do something tonight<\/h2>\n

For a driver in a metro area with a newer keyless car who has just read enough of this story to feel uneasy, the practical options sit roughly on a ladder. Kitchen aluminum foil, wrapped carefully and with multiple layers, costs essentially nothing and works as a stopgap or travel solution. A purpose-built Faraday pouch, typically $15 to $30 from a reputable brand and ideally one with independently certified attenuation specs, is more reliable in daily use and harder to mess up by accident. An unplugged microwave oven serves as a serviceable overnight Faraday cage in a household kitchen if you can stand the routine of it. Several manufacturers, including Toyota, Honda and BMW, also allow drivers to disable passive entry entirely in the vehicle’s settings menu, which removes the convenience but also removes the attack surface completely.<\/p>\n

The crumpled foil ball in the kitchen bowl is an embarrassing artifact for an industry that has had fourteen years of warning about exactly this attack. It is also, until manufacturers finish the slow rollout of motion-sensing fobs and properly authenticated keyless designs to the rest of their lineups, the workaround that costs under a dollar and works tonight. Most aftermarket security solutions cannot honestly claim either.<\/p>\n","protected":false},"excerpt":{"rendered":"

In suburbs around Atlanta, Phoenix and northern New Jersey, you can spot it on kitchen counters: a car key fob … <\/p>\n

Read more<\/a><\/p>\n","protected":false},"author":8,"featured_media":8353,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[4,15],"tags":[],"class_list":["post-8340","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cars","category-guides","resize-featured-image"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.autonocion.com\/us\/wp-json\/wp\/v2\/posts\/8340","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.autonocion.com\/us\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.autonocion.com\/us\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.autonocion.com\/us\/wp-json\/wp\/v2\/users\/8"}],"replies":[{"embeddable":true,"href":"https:\/\/www.autonocion.com\/us\/wp-json\/wp\/v2\/comments?post=8340"}],"version-history":[{"count":1,"href":"https:\/\/www.autonocion.com\/us\/wp-json\/wp\/v2\/posts\/8340\/revisions"}],"predecessor-version":[{"id":8351,"href":"https:\/\/www.autonocion.com\/us\/wp-json\/wp\/v2\/posts\/8340\/revisions\/8351"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.autonocion.com\/us\/wp-json\/wp\/v2\/media\/8353"}],"wp:attachment":[{"href":"https:\/\/www.autonocion.com\/us\/wp-json\/wp\/v2\/media?parent=8340"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.autonocion.com\/us\/wp-json\/wp\/v2\/categories?post=8340"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.autonocion.com\/us\/wp-json\/wp\/v2\/tags?post=8340"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}