From relay attacks and CAN bus injection to TikTok-fuelled theft waves, the modern car is a rolling network of security vulnerabilities — and criminals have become remarkably good at exploiting them.

20 sec

Time for a relay attack to steal a car

70%

UK car thefts now via relay method (ABI 2024)

+102%

YoY rise in automotive CVEs (Q1 2026)

8.3M

Kia/Hyundai vehicles with no immobiliser

No smashed glass. No forced entry. No hotwired ignition. A thief approaches your car in the dark, holds a small device near the headlight housing, waits a few seconds, and drives away in a vehicle worth £50,000 — while your keys sit untouched on the kitchen table. No alarm sounds. No trace is left. The entire operation takes under a minute, and the equipment costs less than £100 to buy online.

This is not science fiction, and it is not rare. It is happening every day across the UK, Europe, North America, and Australia — and it is accelerating. The modern car, with its keyless entry systems, wireless connectivity, onboard diagnostics ports, and cloud-linked telematics, has quietly become one of the most hackable objects most people own. The automotive industry built extraordinary convenience into its vehicles over three decades. It largely forgot to build in commensurate security.

Background: How We Got Here

Engine immobilisers — which require a cryptographic handshake between the ignition key and the vehicle’s ECU before the engine will start — were widely adopted across Europe from the mid-1990s after the EU made them mandatory for new cars in 1998. The impact was dramatic: traditional vehicle theft, which had peaked in the early 1990s, fell by over 50 percent within a decade. Thieves adapted by targeting the keys themselves — burglaries, carjackings — rather than trying to bypass the immobiliser directly.

Then came keyless entry. Passive keyless entry and start (PKES) systems, introduced commercially in the late 1990s and now near-universal across new vehicle production, allow drivers to unlock and start their car without physically pressing any buttons on the key fob — the car detects the key’s radio frequency signal and responds automatically. It is enormously convenient. It is also, as security researchers quickly established, exploitable.

The attack surface has expanded dramatically as vehicles have become computers on wheels. A modern premium car contains over 100 electronic control units (ECUs), runs more than 100 million lines of code, and connects to the outside world via Bluetooth, Wi-Fi, cellular networks, GPS, OBD-II diagnostic ports, USB interfaces, and over-the-air update infrastructure. Each connection is a potential vulnerability. Researchers and criminals have been exploring them systematically for years — and the criminals are increasingly winning.

“Despite years of warnings, most manufacturers have stuck with outdated cryptography and unidirectional signals. ‘Security by obscurity’ still rules, even as researchers and thieves race to outsmart each other.”

Autoblog, June 2025

The Attack Methods: How Cars Are Hacked

1. Relay Attacks: The Most Common Method

The relay attack is now the dominant method of professional vehicle theft in the UK, accounting for 70 percent of all car thefts according to the Association of British Insurers (2024). It is elegant in its simplicity and devastating in its effectiveness.

A keyless entry fob continuously emits a low-power radio signal. When the car detects that signal within range, it unlocks. The relay attack exploits this by using two devices: one positioned near the house (often outside the front door or by a window) captures the fob’s signal, amplifies it, and transmits it wirelessly to a second device held next to the car. The car believes the key is present. It unlocks. The engine starts. The thieves drive away.

Relay devices capable of amplifying fob signals across 100 metres or more can be purchased online for as little as £80–£100. The entire theft operation typically takes 20–30 seconds. In the UK, a car is stolen every five minutes, with keyless theft accounting for 58 percent of all vehicle thefts in the period to March 2024, according to the Crime Survey for England and Wales — up from just 14 percent in 2019. In Canada, that figure rose from 58 to 74 percent of keyless car thefts between 2020 and 2024.

2. CAN Bus Injection: The Technical Heist

The Controller Area Network (CAN) bus is the internal communications backbone of a modern vehicle — the network through which all ECUs talk to each other. It was designed in the 1980s as an industrial automation protocol. It was never designed with security in mind. It has no message authentication, no encryption, and no source verification. Every message on the CAN bus is trusted by every device on it.

Criminal groups have exploited this comprehensively. The CAN injection attack — documented extensively by cybersecurity researcher Dr. Ken Tindell and VicOne’s threat research team — involves connecting a small, cheap device to the CAN bus wiring. The most common entry point is behind a headlight assembly, where CAN wiring is accessible near the vehicle’s exterior edge without requiring cabin entry. Once connected, the device floods the bus with forged messages declaring that a valid key is present, commanding the smart key ECU to authorise engine start.

VicOne’s researchers note that the attack device needs only a basic microcontroller preloaded with the right firmware — hardware available for under $75. One notorious version concealed the device inside an ordinary-looking Bluetooth speaker, providing cover while thieves accessed the headlight wiring. The CAN injection theft of a Toyota Land Cruiser in London — caught on CCTV and subsequently analysed in technical detail — made the method public. Since then, thousands of vehicles have been reported stolen via CAN injection in Australia alone, with Toyota LandCruisers and Prado models disproportionately targeted.

⚙ Why the CAN bus is still vulnerable in 2026

The CAN bus protocol was standardised in 1991. It remains the dominant in-vehicle network in cars produced today. VicOne’s researchers confirmed at Singapore International Cyber Week 2025 that gaining access to the OBD-II diagnostic port — universally present on all cars manufactured after 1996 — allows an attacker to issue legitimate diagnostic commands that alter ECU behaviour, inject malicious CAN messages, and manipulate safety-critical systems. Redesigning this into modern vehicles requires fundamental architectural changes that manufacturers have been slow to implement.

3. OBD Port Exploitation

The On-Board Diagnostics (OBD-II) port — a standardised diagnostic interface required in all cars sold in the US since 1996 and the EU since 2001 — is a direct gateway to a vehicle’s CAN bus. Organised theft rings carry portable OBD hacking units that, once physically plugged into the port, allow them to reprogram a blank key fob to match the vehicle’s immobiliser. The process takes minutes.

Pennsylvania law enforcement reported in 2025 a significant rise in cases where thieves forced brief cabin entry — often via a slim-jim or by breaking a small window — solely to access the OBD port, complete the key programming, and depart in the vehicle. For Toyota LandCruiser 200 owners in Australia, investigators found thieves could break into the car, access the OBD port under the dashboard, and drive away before any alarm system had meaningfully responded.

4. The Kia Challenge: Social Media as a Theft Vector

In August 2022, a group calling itself the “Kia Boyz” posted TikTok videos showing how to steal certain Kia and Hyundai models using nothing more than a USB-A cable and a screwdriver — turning the mechanical ignition the same way a key would. The vulnerability was structural: approximately 8.3 million Hyundai and Kia vehicles manufactured between 2011 and 2022 lacked engine immobilisers entirely, a cost-cutting decision that proved catastrophic at scale.

The TikTok challenge spread nationwide across the United States within weeks. Theft insurance claims for the affected models increased more than 1,000 percent between the first half of 2020 and the first half of 2023, according to the Highway Loss Data Institute. At least eight people died and 14 crashes were recorded as a direct consequence. Major insurance companies in several US cities stopped offering coverage for the affected models entirely. The manufacturer reached a $200 million class-action settlement in 2023, with further state settlements ongoing into 2026.

The case stands as a defining example of how a latent security vulnerability, once publicly disclosed via social media, can become a national crime wave within weeks — and of how the consequences fall primarily on consumers rather than manufacturers.

5. Remote Telematics and Connected Car Vulnerabilities

As cars become software-defined, the attack surface extends from the physical vehicle into the cloud. In January 2026, a cyberattack on a Russian telematics provider disabled mobile-app vehicle controls — locking, unlocking, and remote engine start — for hundreds of thousands of vehicle owners for up to two weeks. Attackers had compromised the cloud backend rather than the vehicles themselves, demonstrating that the security of a connected car is only as strong as the weakest link in its entire digital supply chain.

Security researchers at Pwn2Own Automotive 2026 in Tokyo — the world’s largest zero-day vulnerability discovery competition for connected vehicles — uncovered 76 unique zero-day vulnerabilities across Tesla infotainment systems, mainstream head units, and EV charging infrastructure, earning $1.047 million in payouts. One particularly striking demonstration saw the Synacktiv team compromise an EV charger using only an NFC card tap. “They just essentially walked up to an EV charger, hit it with an NFC card, and took it over like that,” said Dustin Childs of Trend AI’s Zero Day Initiative. The total number of unique automotive CVEs rose 102 percent year-on-year in Q1 2026.

The Attack Methods at a Glance

Five Ways Hackers Steal Modern Cars

From £80 relay kits to zero-day exploits

📡

Relay Attack

Signal amplified from key fob inside your home to a device at the car. 20–30 sec. Equipment: ~£80.

🔌

CAN Injection

Device tapped to headlight wiring sends forged “key present” signals on the internal CAN network.

🔑

OBD Port Hack

Diagnostic port accessed to reprogram a blank key fob to match the vehicle immobiliser. Minutes.

📱

App / Cloud Attack

Telematics backend compromised to trigger remote unlock or disable tracking entirely.

🎬

Key Cloning

Cryptographic handshake between car and fob intercepted and replayed to create a cloned key.


Am I at risk? Warning signs

  • Car has keyless/push-button start
  • Fob stored near front door or hallway
  • No secondary immobiliser or tracker fitted
  • Vehicle parked on street or open drive overnight
  • High-value SUV, Land Rover, BMW, or Toyota
  • Plug-in OBD tracker or dongle left in port
  • Car has no Faraday pouch or signal blocker on fob
  • Manufacturer has not issued an OTA security patch

The Security Vulnerabilities: What Manufacturers Got Wrong

The root cause of the relay attack problem is straightforward: passive keyless entry systems were designed to broadcast continuously, asking “is anyone there?” The car constantly listens for a response. No time-of-flight verification, no challenge-response protocol, no check on whether the signal has been artificially amplified. The car simply measures whether a valid signal is present — not whether it is genuinely nearby.

The German automotive association ADAC has tested hundreds of keyless vehicle models for relay resistance between 2016 and 2024. The results are consistent and damning: the vast majority fail to block relay amplification, even when equipped with advanced encryption elsewhere in their security architecture. Ultra-wideband (UWB) technology — which uses precise time-of-flight measurement to verify that a key is genuinely close, not just signal-amplified — is the most promising technical fix. Apple and Samsung have deployed it in their device ecosystems. Some premium vehicle manufacturers including BMW have begun implementing it. But it remains far from universal, and retrofitting existing vehicles is not straightforward.

The CAN bus problem is structural and older. A 1980s industrial protocol with no authentication is now the nervous system of vehicles that connect to the internet, receive over-the-air updates, and are controlled via smartphone apps. Researchers at VicOne, PCA Cyber Security, and multiple academic institutions have documented how the CAN bus’s fundamental trust model — every message is legitimate, every sender is trusted — creates an almost trivially exploitable attack surface once physical access to any CAN-connected component is achieved.

“2026 is the year automotive cybersecurity stops being a policy alignment exercise and becomes operational proof. The Q1 data shows threats are scaling faster than traditional defences.”

Vlad Ryabyshkin, CTO, PCA Cyber Security, June 2026

Key Research: What the Experts Say

Source / StudyKey FindingDateArea
PCA Cyber Security — Q1 2026 Global Automotive Threat Intelligence Report265 new automotive CVEs in Q1 2026 alone; 102% rise year-on-year. Telematics backend attack in Russia disabled vehicle controls for hundreds of thousands of owners for two weeks.Jun 2026Threat Intel
Pwn2Own Automotive 2026 — Trend ZDI / VicOne76 zero-day vulnerabilities uncovered; $1.047M in payouts. Synacktiv chained info leak + out-of-bounds write to hack Tesla infotainment via USB. EV charger taken over via single NFC card tap.Jan 2026Security Research
Dr. Ken Tindell / VicOne — CAN Injection AnalysisDetailed technical documentation of CAN injection attack on Toyota Land Cruiser. Device costs under $75; no specialised skills required. Toyota aware of vulnerability since at least April 2023.2023–2025Academic / Industry
ADAC — Relay Attack Testing 2016–2024Vast majority of keyless vehicles tested fail to block relay amplification even with advanced encryption. UWB is the leading technical countermeasure but implementation remains limited.2024Industry Testing
Association of British Insurers70% of UK car thefts now use relay methods. UK insurers paid out £1.24 billion for motor vehicle theft claims in 2024. London: 60% of all vehicle thefts are keyless-related.2024Insurance Data
Highway Loss Data Institute / CNNTheft insurance claims for vulnerable Hyundais and Kias increased more than 1,000% between H1 2020 and H1 2023 following TikTok “Kia Challenge.” 8.3 million vehicles affected.2023Insurance / Legal
arXiv: SoK — Stealing Cars Since Remote Keyless Entry (Payne et al., 2025)Systematic academic review of all major remote keyless entry attack vectors. Recommends open-source security auditing, UWB adoption, and Pwn2Own-style manufacturer engagement.May 2025Academic
PlaxidityX — Keyless Car Theft North AmericaClass action filed in Quebec against 13 OEMs for keyless entry flaws. Two OEMs agreed Dec 2025 nationwide settlement offering free repairs to millions of vehicles; cost may exceed $500M.May 2026Legal / Industry

The Insurance and Legal Fallout

The financial consequences of systematic automotive cybersecurity failure are now being absorbed across the insurance and legal systems. UK insurers paid out £1.24 billion in motor vehicle theft claims in 2024. Canadian insurers sustained $900 million in losses in 2025. In high-theft regions of the United States, comprehensive coverage premiums have risen 10–25 percent, with high-end SUVs seeing surcharges averaging 17–20 percent.

Manufacturers face mounting legal exposure. In Quebec, a class-action lawsuit was filed against 13 original equipment manufacturers over keyless entry flaws responsible for large-scale thefts between 2021 and 2024. In December 2025, two major OEMs agreed to a nationwide US settlement offering free repairs to millions of affected vehicles — a programme whose cost could exceed $500 million. The Kia and Hyundai litigation remains partially unresolved, with an insurance subrogation track seeking over $1 billion from the two manufacturers as insurers seek recovery of funds paid to theft victims.

✅ Do you own a Hyundai or Kia?

Vehicles manufactured between 2011–2022 with a turn-to-start ignition (not push-button) are potentially affected. Hyundai and Kia offer a free software update that reduces theft risk significantly — Kia owners saw a 64% reduction in theft claim frequency after the update (IIHS, 2024). If your vehicle is ineligible for the software update, both manufacturers offer a free physical steering wheel lock.

Check eligibility and claim any settlement compensation at the official settlement administrator’s website. Contact your dealer or manufacturer directly if you have not received notification about your eligibility.

How to Protect Your Vehicle: A Practical Guide

The good news is that most automotive cyber theft can be meaningfully frustrated with relatively inexpensive countermeasures. Thieves operate under time pressure; anything that adds friction and delay significantly reduces risk. A combination of low-cost physical security and awareness about how your vehicle’s technology works is the most effective defence currently available to consumers.

  • Use a Faraday pouch for your key fob. This is the single most effective and affordable defence against relay attacks. A signal-blocking Faraday pouch (cost: £8–£20) prevents your fob from broadcasting while stored at home. Keep both keys in pouches. Test yours with the key inside: if your car no longer unlocks when you approach it, the pouch is working. Faraday boxes for hallway tables offer similar protection and look more conventional.
  • Enable every available PIN or secondary authentication feature on your vehicle. Tesla’s PIN-to-Drive and similar features on other manufacturers require a numeric code before the car will move, even if the relay attack succeeds in unlocking it. If your vehicle offers this, activate it immediately. Check your vehicle settings or owner manual for “theft deterrent” or “drive authorisation” options.
  • Fit a steering wheel lock or driveshaft club. Old-fashioned physical deterrents remain highly effective precisely because they are visible. Thieves assessing targets quickly will choose a vehicle without one. The Disklok and similar products are THATCHAM-approved and well-regarded by insurers.
  • Consider a secondary aftermarket immobiliser. A Thatcham Category 6 or equivalent aftermarket ghost immobiliser adds a second layer of authentication — often a hidden sequence of button presses — that must be completed before the engine will start. These are invisible, leave no trace on the vehicle, and have no fob to relay.
  • Fit a GPS tracker with independent battery backup. While a tracker does not prevent theft, it dramatically increases recovery rates. Ensure the tracker has a backup battery independent of the vehicle’s power — thieves increasingly disconnect the vehicle battery immediately after theft to disable tracking.
  • Protect your OBD port. An OBD port lock (a physical cover secured by a key or PIN) prevents plug-in OBD reprogramming attacks. For Toyota LandCruiser owners specifically, security researchers recommend an OBD port lock as a priority measure. Removing the OBD fuse between uses is a more disruptive but effective alternative.
  • Park defensively. Where possible, park in a garage or use a driveway post or physical bollard. Parking with the front end against a wall or obstacle makes headlight-wiring CAN injection significantly more difficult. Avoid predictable parking patterns for high-value vehicles.
  • Keep your vehicle software updated. Manufacturers issue over-the-air security patches for known vulnerabilities. Ensure automatic OTA updates are enabled in your vehicle’s settings. Check your manufacturer’s security advisory page periodically for your model.

⚠ If your car has just been stolen

Call police immediately — early reporting is critical, especially if a GPS tracker is fitted. Contact your insurer as soon as possible. Do not attempt to track or confront thieves yourself. Note the exact time, location, and any witnesses. Check whether your vehicle’s manufacturer app shows a last-known location.

If your stolen vehicle is recovered, request a full diagnostic check before driving it — CAN injection attacks can leave residual device connections, and OBD reprogramming may leave traces detectable by a dealer diagnostic system.

The Road Ahead: Can the Industry Fix This?

The automotive cybersecurity community is not passive. ISO/SAE 21434 — the international standard for automotive cybersecurity engineering, published in 2021 and mandated under EU legislation for new type approvals from July 2022 — requires manufacturers to conduct systematic security risk assessment across the vehicle lifecycle. UN Regulation 155 mandates a cybersecurity management system for all new vehicles. Work on Secure Boot using Hardware Security Modules is underway. Ultra-wideband deployment is expanding. The Pwn2Own competitions are generating responsible disclosure that, in some cases, reaches manufacturers and triggers patches.

But the pace of threat growth is outrunning the pace of response. Automotive CVEs doubled in twelve months. The 2026 Pwn2Own competition uncovered 76 zero-days in a single week. The CAN bus — a 1980s protocol — remains the backbone of vehicles rolling off production lines today. And the economics of automotive development, with product cycles measured in years and software security measured in months, create a structural lag that organised criminal groups exploit with growing sophistication.

For the security researcher or journalist covering this space, the most important framing may be this: vehicle theft is no longer primarily a physical crime. It is a cybercrime conducted against the weakest link in a complex network of radio protocols, software stacks, and cloud backends — most of which were designed before automotive cybersecurity was a serious discipline. The steering wheel lock on your driveway and the Faraday pouch on your hallway table are, in 2026, legitimate security countermeasures against a genuinely sophisticated digital threat.


Sources: PCA Cyber Security Q1 2026 Global Automotive Threat Intelligence Report  |  Pwn2Own Automotive 2026 — Trend ZDI / VicOne  |  ADAC Relay Attack Testing 2016–2024  |  Association of British Insurers 2024  |  Dr. Ken Tindell — CAN Injection Analysis (kentindell.github.io)  |  VicOne Threat Research (vicone.com)  |  arXiv: SoK Stealing Cars Since Remote Keyless Entry (Payne et al., May 2025)  |  Highway Loss Data Institute / CNN 2023  |  PlaxidityX Keyless Car Theft North America (May 2026)  |  Autoblog Keyless Car Theft 2025  |  SecurityWeek — CAN Injection (Apr 2023)  |  Malwarebytes — Kia/Hyundai TikTok Challenge  |  Dark Reading — Pwn2Own Automotive 2026 (Jan 2026)