Six of 11 new cars launched in the UK in 2019 rated poor for security

by Autocar Pro News Desk , 21 Mar 2019


The relay attack captured on CCTV - West Midlands Police. (Thatcham Research image)

Thatcham Research, the independent voice of automotive safety, securityand repair in the UK, today launched security ratings to help consumers better understand the theft risk of new cars against a back drop of rising vehicle thefts. The new ratings assess whether measures to specifically address the keyless entry/start vulnerability, have been adopted.

Six of the 11 vehicles launched this year in the UK have been given a ‘Poor’ rating as the keyless entry/start system they have as an option has no security measures to prevent theft by criminals using the so-called ‘Relay Attack’ technique. Without this option, the overall security features were classified as ‘Good’.

What is the 'Relay Attack'?
Passive keyless entry systems, which allow drivers to open and start their cars without removing the key fob from their pocket, can be exploited using a technique called the ‘Relay Attack.’ Usually operating in pairs, one criminal will hold a device up against the car, to capture the signal it sends out to the key. It then ‘boosts’ this signal to another device by the front wall of the house, which relays the signal to the key inside. This fools the car and key into thinking they are within the 2m range of operation, allowing the car to be unlocked and started. Once started the engine will not restart without the key present.

Richard Billyeald, Chief Technical Officer at Thatcham Research said: “This initiative focuses on addressing keyless entry/start vulnerability. We’ve seen too many examples of cars being stolen in seconds from driveways. Now, any vehicle that is assessed against the new Thatcham Research Security Rating, and has a vulnerable keyless entry/start system, will automatically not achieve the best rating.

“Security has come a long way since vehicle crime peaked in the early 1990s. But the layers of security added over the years count for nothing when they can be circumvented instantly by criminals using digital devices. The shame is that most of the cars rated ‘Poor’ would have achieved at least a ‘Good’ rating had their keyless entry/start systems not been susceptible to the Relay Attack.”

How they rated

VEHICLE 2019 Model Year

Security Rating*

Audi e-tron

Superior

Ford Mondeo

Poor

Hyundai Nexo

Poor

Jaguar XE

Superior

Kia ProCeed

Poor

Land Rover Evoque

Superior

Lexus UX

Poor

Mercedes B-Class

Superior

Porsche Macan

Poor

Suzuki Jimny**

Unacceptable

Toyota Corolla Hybrid

Poor

*Keyless entry/start system assessed within rating whether available as an option or fitted as standard. **Suzuki Jimny does not have a keyless entry/start system as standard or an option


Billyeald continued: “We are really pleased to see that the latest Audi e-tron, Jaguar XE, Land Rover Evoque and Mercedes B-Class were all awarded ‘Superior’. These carmakers have made significant strides in addressing keyless entry/start vulnerability, by either switching to a more secure wireless technology or introducing key fobs that go to sleep when idle. This demonstrates that there are solutions and fixes to the problem, which we expect other manufacturers to include on their future models.

“Our guidance for worried drivers is first and foremost to understand if your vehicle has a keyless entry/start system or not, as it is often an optional extra. If it does, check whether there are solutions available with your key fob – can it be turned off overnight or does it go to sleep when not being used?

“Faraday shielding pouches can be effective but test them first to make sure they do block the signal. Many are designed for credit cards so make sure they still close fully with a set of keys inside, to ensure maximum effectiveness.

“Storing all sets of keys, spares included, away from household entry points is also important as it hampers the criminal’s ability to relay the signal.

“And finally, it may in some cases be possible to turn the system off entirely, so it’s worth checking with your dealer.”

Minister for Policing and the Fire Service, Nick Hurd said: “I welcome the finding in Thatcham Research’s work that some manufacturers are addressing vulnerabilities that exist, and would encourage others to see what more they could do. Together we can reduce the risks to the public that their vehicles will be stolen.”

National Police Chiefs’ Council Lead for vehicle crime, Deputy Assistant Commissioner Graham McNulty comments: “Part of the reason for the recent increase in vehicle theft is the rapid development in technology. Whilst this has dramatically improved the experience of drivers it has also allowed criminals to exploit weaknesses in the electronic security.

“Police chiefs fully support the New Vehicle Security Assessment (NVSA) and the newly announced consumer rating which gives buyers a better understanding of how secure their chosen vehicle is. It’s a positive step towards improving vehicle security and will help us cut the levels of crime as manufacturers continue to develop security measures, in what remains a highly competitive industry.”

Laurenz Gerger, motor policy adviser at the Association of British Insurers, said: “Car thieves have been having a field day lately. Crime stats show vehicle thefts at their highest level for a decade. Insurers paid out a record £376 million (Rs 3,700 crore) for car theft in 2018, which was partly driven by the vulnerability of some cars to keyless relay theft. Making these assessments public should spur motor manufacturers to take swift action to tackle this high-tech vulnerability. Meantime, consumers deserve to know how secure their cars are, so they can take the necessary steps to reduce the likelihood that they become victims of crime.”

Current theft trends
The rating is designed to reflect current theft trends, with the new release including the latest digital exploitations, whilst maintaining the existing mechanical aspects. “It will evolve over time and close loopholes as they appear,” added Billyeald.

Thatcham Research has been conducting security assessments for insurers on all new and facelifted models launched into the UK since the early 1990s. Thatcham Research technicians conduct a series of tests, ranging from timed ‘brute-force’ attacks on locks and access points, to tests that identify digital vulnerabilities, namely whether the keyless entry/start system is susceptible to the Relay Attack or the On-Board Diagnostic (OBD) Port allows blank keys to be coded.

Cars that fail the keyless entry/start and OBD tests move down a category per failure. The rating applies whether the keyless entry/start system is optional or standard-fit.

The categories are: Superior, Good, Basic, Poor and Unacceptable.

Setting the standard
Cars at different price points have different levels of security. Thatcham Research is also sharing guidance to help drivers understand what they should expect:

Up to 20k (Rs 19.68 lakh) – Expected to have fundamental security features, but not some of the extra layers found on higher-priced vehicles. Typically, a vehicle within this value range would include a Thatcham Research certified immobiliser, perimeter alarm, double-locking to all doors, locking wheel bolts and attack-resistant mechanical security.

20-35k (Rs 19.68 lakh to Rs 34.45 lakh) – Expected to have high standard security features, but not some of the extra layers found on higher-priced vehicles. Typically, a vehicle within this value range should include the security from the Up to 20k range plus a Thatcham Research certified alarm system.

35k+ (Rs 34.45 lakh+) – The security should be to the very highest standard. Typically, a vehicle within this value range would include the security from the 20-35k range plus Thatcham Research certified alarm system with tilt sensor and a Thatcham Research tracking system.

Commenting on the Suzuki Jimny’s ‘Unacceptable’ rating Billyeald said, “This car falls well below expectation, scoring consistently poorly across all criteria, and missing some fundamental security features that consumers might rightly expect should be fitted.”

 

 


 

comments powered by Disqus