Fact-checked by Grok 2 weeks ago

Relay attack

A relay attack is a form of man-in-the-middle cyber attack in which an adversary intercepts and relays verbatim messages between two communicating parties, typically to deceive them regarding their physical proximity or location without modifying the content of the transmission.^[1] This technique exploits systems that rely on assumptions of short-range or low-latency communication, such as those using radio frequency identification (RFID) or near-field communication (NFC), by effectively extending the operational range through intermediary devices.^[2] Relay attacks were first conceptualized in the context of security protocols in 1987, building on earlier work like the Fiat-Shamir identification scheme from 1986, where adversaries demonstrated the vulnerability of distance assumptions in cryptographic exchanges.^[1] They are particularly prevalent in proximity-based authentication scenarios, including access control systems, contactless payments, e-passports, and keyless entry mechanisms for vehicles. As of 2025, relay attacks have seen a rise in contactless payment systems in Europe and persistent use in automotive thefts.^[2]^[3] In automotive applications, for instance, attackers often employ a two-device setup: one near the vehicle to capture and retransmit challenge signals, and another near the owner's key fob to relay responses, thereby tricking the car into unlocking or starting as if the fob were present.^[4] Such attacks have been demonstrated to succeed over distances exceeding 50 meters in controlled radio link experiments.^[1] To counter relay attacks, defenses primarily focus on verifying physical proximity through distance-bounding protocols, which measure round-trip communication times, received signal strength, or angle of arrival to ensure parties are within expected bounds.^[2] Alternative approaches incorporate ambient environmental conditions, such as correlating audio, temperature, or light levels between devices to confirm co-location, as these factors cannot be easily relayed.^[2] Despite these mitigations, challenges persist due to hardware limitations in low-power devices like RFID tags and the need for lightweight implementations that maintain usability.^[1] As of 2025, ongoing research emphasizes hybrid methods combining timing, signal analysis, and contextual checks to enhance resilience across NFC-enabled payments—amid rising NFC relay malware incidents—and passive keyless entry systems.^[2]^[5]

Overview

Definition

A relay attack is a type of man-in-the-middle cyber-attack in which an attacker intercepts legitimate wireless signals exchanged between two parties, such as a device and its authenticator, and forwards them in real time to trick the parties into believing they are in direct proximity-based communication.^[6] This deception circumvents security mechanisms that rely on assumptions of physical closeness or signal timing, such as those in proximity-limited protocols.^[7] Key characteristics of relay attacks include the real-time forwarding of unaltered signals, which differentiates them from replay attacks that involve delayed retransmission of captured data.^[6] The attack exploits distance-based security assumptions inherent in wireless protocols like RFID, NFC, and passive keyless entry systems, without requiring data modification or decryption.^[4] As a result, it can bypass even strong cryptographic protections at the application layer, as the relayed communication appears authentic to both endpoints.^[6] Relay attacks are categorized into passive and active variants. In a passive relay attack, the signals are simply forwarded without alteration, preserving the original data integrity while extending the effective communication range.^[8] Conversely, an active relay attack involves modification of the relayed data to exploit additional protocol vulnerabilities, though the core goal remains real-time deception of proximity.^[6]

Relation to Other Attacks

Relay attacks differ from replay attacks in that the former involve real-time interception and forwarding of live signals between two parties, effectively extending the communication range without delay, whereas replay attacks capture and retransmit previously recorded data at a later time, which often fails against protocols incorporating timestamps or nonces to prevent such reuse. This distinction is particularly evident in wireless systems like RFID, where replay attempts may be thwarted by time-sensitive challenges, but relay enables seamless interaction as if the parties were in proximity.^[9] As a subset of man-in-the-middle (MitM) attacks, relay attacks specifically focus on transparently relaying unaltered wireless signals to bridge physical distances, without the data modification, injection, or active eavesdropping that characterize broader MitM techniques.^[10] In contrast, general MitM attacks may involve decrypting and altering content or impersonating endpoints, whereas relay maintains the integrity of the original signal to exploit distance-based assumptions in protocols.^[9] Unlike jamming attacks, which overtly disrupt wireless communications by overwhelming channels with interference to cause denial of service, relay attacks operate covertly by amplifying and forwarding legitimate signals, allowing unauthorized access without alerting the system to any anomaly.^[11] Jamming is detectable through signal degradation or loss, while relay evades detection by mimicking normal operation over extended ranges.^[10]

Mechanism

How Relay Attacks Work

A relay attack operates by intercepting and transparently forwarding authentication signals between a legitimate device and a target system, effectively extending the perceived proximity of the device without altering the communication content. This process exploits protocols that rely on challenge-response mechanisms but lack robust distance verification, allowing unauthorized access. Unlike simpler eavesdropping, the attack requires real-time relaying to maintain the illusion of direct communication.^[4] The operational sequence typically involves two colluding attackers. First, one attacker positions themselves near the victim device, such as a car door, to capture the initial challenge signal broadcast by the device—often a low-frequency (LF) wake-up or query at around 125 kHz designed to activate nearby legitimate tokens like a key fob. This signal is then relayed, via a radio or wired link, to a second attacker located near the legitimate device, such as the key fob in the owner's pocket.^[4]^[12] Upon receiving the relayed challenge, the legitimate device responds with an authentication message, usually in the ultra-high frequency (UHF) band at 315 MHz or 433 MHz for key fobs, containing cryptographic proof of validity. The second attacker captures this response and forwards it back to the first attacker, who retransmits it to the victim device. The victim device, perceiving the response as originating from a proximate legitimate source, grants access, such as unlocking doors or starting the engine.^[4]^[13] Signal propagation in relay attacks relies on antennas to capture and amplify the inherently low-power, short-range signals, enabling extension over distances up to hundreds of meters depending on the relay medium and environmental conditions. For instance, LF challenges have a natural range of about 1-2 meters, but amplification and forwarding can bridge gaps between separated attackers.^[12]^[13] Successful execution demands low-latency relaying, typically under 1-2 milliseconds, to avoid timing discrepancies that could trigger protocol timeouts or detection mechanisms, alongside precise synchronization to preserve the original signal timing and protocol state.^[14]^[13]

Technical Components

Relay attacks typically require dual relay devices to capture and forward signals in real-time between a legitimate reader and target device, often utilizing software-defined radios (SDRs) such as the USRP series for their flexibility across frequency bands.^[15] These setups commonly incorporate custom antennas tuned to low-frequency (LF, e.g., 125 kHz), high-frequency (HF, e.g., 13.56 MHz), or ultra-high-frequency (UHF, e.g., 315-433 MHz) bands prevalent in keyless entry and RFID systems, enabling signal interception over short ranges.^[15] Portable transceivers, like those based on HackRF One, further support signal boosting by providing wideband transmission (1 MHz to 6 GHz) in compact form factors suitable for mobile deployment.^[16] Software components focus on low-latency signal processing to maintain protocol timing, with tools like Proxmark3 facilitating RFID relaying through hardware-firmware integration for sniffing, emulation, and forwarding ISO 14443-compliant signals.^[17] Custom scripts in GNU Radio process baseband signals from SDRs, implementing flow graphs for modulation, demodulation, and real-time relay with minimal added delay.^[15] Latency minimization techniques, such as direct cable connections between relay nodes or FPGA-accelerated processing, reduce propagation delays to preserve challenge-response synchronization.^[18] Protocol vulnerabilities exploited in relay attacks stem from challenge-response mechanisms lacking distance bounding, allowing intermediaries to forward queries and responses without detection of extended range. In keyless entry systems, rolling codes provide replay resistance but fail against relays that preserve timing and freshness.^[15] Similarly, NFC protocols under ISO 14443 enable proximity card relaying by complying with anti-collision and authentication sequences without verifying physical distance, as demonstrated in practical implementations using mobile proxies.^[7] Range extension in relay attacks leverages the quadratic signal attenuation in free space, making low-power, short-range emissions (common in RFID and keyless systems) feasible to intercept and rebroadcast over greater distances. The Friis transmission equation quantifies received power P_r as:

P_r = P_t G_t G_r \left( \frac{\lambda}{4\pi d} \right)^2

where P_t is transmitted power, G_t and G_r are transmitter and receiver antenna gains, \lambda is wavelength, and d is distance; this inverse-square dependence ($1/d^2) explains why signals designed for d \approx 10 cm (e.g., in passive RFID) can be relayed to d > 100 m with modest amplification, as the relay effectively resets the distance metric.

History

Origins and Early Research

The concept of relay attacks traces its pre-digital roots to techniques analogous to radio signal relaying employed in World War II espionage, where adversaries intercepted and forwarded communications to mislead detection efforts or impersonate sources.^[19] However, the formalization of relay attacks in a digital context emerged during the 1980s and 1990s amid growing research on wireless security and proximity-based identification systems.^[20] These early explorations highlighted vulnerabilities in protocols assuming physical proximity, particularly as radio-frequency identification (RFID) technology proliferated in applications like toll collection and animal tracking starting in the late 1990s.^[21] A pivotal early conceptualization came in 1987, when Desmedt, Goutier, and Bengio introduced the notion of "mafia fraud" in their analysis of the Fiat-Shamir passport protocol at Crypto '87.^[22] In this attack, an intermediary (the "mafia") relays messages between a legitimate prover and verifier to fraudulently authenticate the distant prover as if it were nearby, exploiting the lack of distance verification in challenge-response schemes. This work laid the groundwork for understanding relay threats in cryptographic identification protocols. Relay attacks were recognized as a specialized form of man-in-the-middle interception, with ties to broader discussions in authentication literature of the era. By 1993, the need for countermeasures prompted Brands and Chaum to propose distance-bounding protocols at Eurocrypt '93, explicitly designed to thwart mafia fraud through precise timing of round-trip signal delays.^[23] These protocols measured the propagation time between a verifier's challenge and the prover's response to establish an upper bound on physical distance, preventing relayed impersonation. The 1990s RFID expansion further underscored these vulnerabilities, as low-power wireless tags became ubiquitous without inherent distance checks.^[24] Academic milestones in the mid-2000s advanced detection methods, notably Hancke and Kuhn's 2005 paper on an RFID distance-bounding protocol, presented at SecureComm, which demonstrated practical timing-based relay detection using ultra-wideband signals for sub-millisecond precision.^[25] Concurrently, Kfir and Wool's 2005 study illustrated feasible relay implementations on contactless smartcard systems, emphasizing the attack's simplicity with off-the-shelf hardware and reinforcing the urgency for robust proximity authentication.^[26] These contributions shifted focus from theoretical risks to implementable defenses in emerging wireless ecosystems.

Notable Incidents and Demonstrations

One of the earliest practical demonstrations of a relay attack targeted the UK's Chip & PIN (EMV) payment system. In 2007, researchers Saar Drimer and Steven J. Murdoch from the University of Cambridge developed and showcased a relay attack using custom low-cost hardware to intercept and forward communications between a legitimate card and a fraudulent point-of-sale terminal, enabling unauthorized transactions without the cardholder's PIN.^[27] This demonstration, featured in a BBC Watchdog segment, highlighted vulnerabilities in contactless EMV implementations and prompted discussions on distance-bounding protocols to mitigate such relays.^[27] In the automotive domain, a landmark 2011 presentation at the Network and Distributed System Security Symposium detailed relay attacks on passive keyless entry and start (PKES) systems in luxury vehicles, including BMW and Mercedes models. Researchers Aurelien Francillon, Boris Danev, and Srdjan Capkun demonstrated how inexpensive radio relays could extend the key fob signal up to 100 meters, allowing thieves to unlock and start the cars without physical access to the keys.^[28] This work built on prior theoretical concepts but provided empirical proof-of-concept implementations using off-the-shelf components, influencing subsequent security audits in the industry. By 2017, relay attacks had transitioned from research to real-world crime, with UK police reporting a surge in keyless car thefts facilitated by affordable relay devices costing as little as £100. West Midlands Police released CCTV footage capturing the first documented relay theft in the region, showing two suspects using handheld relay boxes to amplify a Mercedes key fob signal from inside a nearby house, enabling them to unlock and drive away the vehicle in under a minute.^[29]^[30] Similar incidents were noted across London and other areas, with police attributing the rise to the increasing prevalence of keyless systems in new vehicles.^[31] In response to escalating thefts, the UK government in February 2025 introduced legislation banning the possession and sale of relay attack devices, such as signal amplifiers, which were implicated in approximately 40% of vehicle thefts in England and Wales as of that year.^[32] 2024 demonstrations on platforms like YouTube illustrated key fob relay techniques targeting European vehicles, contributing to spikes in insurance claims, with keyless relays implicated in a significant portion of cases across the continent.^[33] Impact data underscores the growing threat: in the UK, police-recorded vehicle thefts via relay methods rose approximately 20% from 2020 to 2023, driven by keyless systems comprising over 90% of tracked incidents by 2020 and continuing upward trends.^[34]^[35] These statistics, drawn from Office for National Statistics and insurer reports, reflect broader European patterns where relay-enabled thefts have strained insurance sectors and prompted regulatory scrutiny.

Applications

Automotive Keyless Entry

Passive keyless entry (PKE) systems, standard in modern vehicles, rely on low-frequency (LF) radio signals operating at 125-135 kHz to detect the proximity of a key fob near the car, prompting the fob to respond via ultra-high-frequency (UHF) signals at 315-433 MHz to authenticate and grant access or start the engine.^[4]^[36] These systems enable hands-free unlocking and ignition when the fob is within a short range, typically a few meters, but their reliance on unencrypted, line-of-sight radio communication makes them susceptible to relay attacks, where signals are intercepted and retransmitted to bypass proximity checks. By 2020, over 75% of new passenger vehicles in North America and Europe were equipped with such keyless entry features, amplifying the potential attack surface across millions of cars.^[37] In a typical relay attack on automotive PKE, two thieves collaborate using portable devices: one positions a receiver near the key fob—often inside a homeowner's residence or up to 100 meters away—to capture its UHF response, while the other places a transmitter near the vehicle to relay the amplified LF wake-up signal and the fob's authentication reply in real time.^[4]^[38] This fools the car's system into believing the fob is adjacent, allowing doors to unlock and the engine to start without physical key possession, often completing the theft in under a minute. The attack is particularly prevalent in pre-ultra-wideband (UWB) models from brands like Toyota (e.g., Camry, Corolla, Prius) and Ford (e.g., F-150, Focus), where signal amplification extends the effective range far beyond intended limits, enabling opportunistic thefts from driveways or parking lots.^[39]^[40]^[31] Relay attacks have driven a surge in keyless vehicle thefts, with data indicating that keyless exploits account for 60-70% of all car thefts in these regions.^[41]^[42] In the UK alone, recorded vehicle thefts reached 133,000 in 2023-24, up 12% from prior years, while US figures exceeded 1 million total thefts in 2023, with keyless exploits as a primary vector.^[43] The economic toll is substantial, with UK losses estimated at £1.77 billion in 2023-24 from vehicle thefts including relay methods, and broader US impacts over $8 billion annually (as of 2024) when factoring in insurance claims, recovery costs, and resale of stolen parts.^[44]^[45] In response, the UK government introduced a law in 2025 banning devices used for keyless theft, with penalties up to 5 years in prison.^[46] Post-2020, relay attacks have evolved into hybrid threats, where initial signal relay grants entry, followed by direct manipulation of the vehicle's controller area network (CAN) bus via the OBD-II port or wiring harness to disable immobilizers and override starting restrictions.^[47] This combination, observed in thefts of Toyota RAV4 and Lexus models, allows thieves to bypass even partial software updates, exploiting the CAN bus's lack of native encryption to inject malicious commands after physical access is achieved.^[48] Such tactics have increased theft efficiency, targeting high-value vehicles and contributing to rising insurance premiums across affected markets.^[49]

Contactless Payments and RFID

Relay attacks pose a significant threat to contactless payment systems that rely on near-field communication (NFC) technologies, such as EMV Chip & PIN cards and mobile payment methods like Apple Pay, which operate under the ISO/IEC 14443 standard. These systems typically limit interactions to a short range of a few centimeters to ensure proximity and security, but relay attacks extend this effective range to several meters by intercepting and forwarding signals between the victim's device and a legitimate point-of-sale (POS) terminal.^[50]^[7] Early demonstrations of relay attacks on contactless payments occurred between 2007 and 2010, where attackers used custom hardware to relay card data from a victim's NFC-enabled card or phone to a distant POS terminal, enabling unauthorized transactions without the victim's knowledge. These attacks exploited systems compliant with ISO 14443, allowing purchases up to contactless transaction limits, such as £100 in the UK, where no PIN is required for small amounts. For instance, a 2011 implementation using NFC-enabled mobile phones successfully relayed transactions in real-time, highlighting the feasibility with off-the-shelf devices.^[7]^[51] A key vulnerability in these early RFID and NFC systems stems from the absence of mutual authentication and distance-bounding protocols at the physical layer, permitting attackers to transparently forward communications without detection by the reader or card. This flaw in ISO 14443 allows the relay to mimic legitimate proximity, bypassing intended security assumptions. In the 2020s, similar vulnerabilities have been demonstrated in public transport ticketing systems, where relay attacks enable fare evasion by relaying signals from a valid ticket to a distant reader, though mitigations like ultra-wideband (UWB) distance measurement are emerging to counter them.^[51]^[52] While relay attacks on contactless payments remain rare due to the need for coordinated proximity to both the victim and terminal, their high-impact nature—potentially leading to financial losses without physical theft—has prompted ongoing research. A notable 2015 Black Hat presentation demonstrated an NFC relay attack bypassing protections in Apple Pay, using Android devices to clone and relay payment data for unauthorized use.^[53]^[54]

Network and IoT Systems

Relay attacks in network systems, particularly within Windows domains, exploit authentication protocols such as NTLM and Kerberos to intercept and forward credentials, enabling unauthorized access and privilege escalation. In NTLM-based environments, attackers coerce a victim machine to authenticate to a malicious server, capturing the NTLM authentication messages during protocols like SMB or LDAP, then relaying them to other services for exploitation.^[55]^[56] A common escalation technique involves relaying captured NTLM authentication from SMB or LDAP to vulnerable services, such as Active Directory Certificate Services (AD CS) or LDAP servers, allowing attackers to impersonate users and perform actions like certificate enrollment or resource-based constrained delegation. For instance, in the Printer Spooler relay variant (CVE-2021-1678), attackers relay NTLM authentication via the MSRPC interface to the print spooler service, achieving remote code execution as a privileged user without needing to crack hashes.^[57]^[58] Kerberos relay attacks similarly target Windows domains by coercing authentication and forwarding Kerberos tickets to intended targets, often bypassing protections if resource-based constrained delegation is misconfigured. These attacks thrive on vulnerabilities in legacy protocols lacking channel binding, where NTLM or Kerberos messages are not cryptographically tied to the specific communication channel, permitting man-in-the-middle interception and redirection without detection.^[59]^[60] In enterprise settings, NTLM relay attacks have seen a notable resurgence in 2024-2025, described as "arguably worse than ever" due to persistent misconfigurations in Active Directory, with analyses showing 100% exposure in examined environments to coercion and relay paths leading to domain compromise. SpecterOps reports highlight their role as a primary vector for lateral movement, often combined with tools like PetitPotam for authentication coercion, affecting tier-zero assets and enabling rapid privilege escalation.^[61]^[55] In IoT systems, relay attacks target networked smart devices like locks using protocols such as Zigbee or Wi-Fi, where attackers intercept and forward authentication or control signals to spoof device presence and bypass security controls. For example, in home automation setups, relayed commands over Wi-Fi can impersonate legitimate devices, allowing unauthorized access to systems like smart locks by exploiting weak session bindings in legacy IoT protocols.^[62]^[63]

Prevention and Mitigation

Technological Countermeasures

Distance-bounding protocols measure the round-trip time (RTT) of signals between a verifier and a prover to establish an upper bound on their physical distance, preventing relay attacks by ensuring the prover is within a specified proximity. These protocols leverage the principle that RTT must satisfy RTT < 2 * (speed of light) * distance, as electromagnetic signals propagate at the speed of light, making it impossible for relayed signals to mimic short distances without detection.^[64] Implemented using ultra-wideband (UWB) technology since 2019, these protocols employ time-of-flight (ToF) measurements with interleaved pulses and random phases to detect signal distortions from enlargement attacks, achieving detection rates with adversary success probabilities below 0.16 × 10^{-3}.^[65] Authentication enhancements incorporate mutual challenge-response mechanisms with timestamps to verify both parties' identities and timeliness, thwarting relay attempts by requiring synchronized, time-bound exchanges. Rolling codes, which generate pseudorandom sequences for each authentication session, further mitigate replays and relays, with desynchronization detection algorithms restoring alignment during communication outages without compromising security. These methods ensure that relayed signals fail due to timing mismatches or code invalidity, enhancing resilience in systems like remote keyless entry. Hardware solutions include UWB chips integrated into vehicle systems for precise proximity verification, as adopted by Apple in its CarKey feature starting in 2020, which uses UWB's ToF to resist relay attacks by confirming the key's location within centimeters.^[66] Signal jammers embedded in key fobs actively disrupt unauthorized relay signals by emitting interference during authentication, while Faraday cages provide passive blocking by enclosing fobs in conductive materials to prevent RF signal transmission.^[67] Protocol upgrades, such as those outlined in post-2020 Microsoft guidelines, mandate channel binding in NTLM authentication via Extended Protection for Authentication (EPA), which ties authentication tokens to the secure channel to detect man-in-the-middle relays.^[60] Enabled by default in Windows Server 2025 and Exchange Server 2019 CU14, EPA enforces "Always" mode for high-security environments, requiring TLS and binding checks to block relayed credentials.^[58] These NIST-aligned recommendations emphasize disabling legacy NTLM where possible and auditing non-compliant connections.^[60]

Practical Best Practices

Individuals can mitigate relay attack risks by adopting simple daily habits that disrupt signal interception. Storing key fobs in Faraday pouches or signal-blocking cases at night effectively prevents unauthorized signal relay by containing the radio frequency emissions within a protective shield.^[68] Similarly, placing fobs in metal boxes, such as a toolbox or tin can, serves as an inexpensive alternative to block signals when not in use.^[69] For long-term parking, disabling the keyless entry feature on the vehicle reduces vulnerability, as many systems allow this option through the owner's manual or dealer settings.^[70] To enhance detection of potential relay attempts, users should monitor vehicle access logs if available through connected apps or onboard diagnostics for any unusual entries or activations outside expected times.^[71] Incorporating motion-activated key fobs, which enter a sleep mode after inactivity (typically 40 seconds), further limits relay opportunities by ensuring the fob only transmits when movement is detected.^[68] Organizations facing relay risks in automotive, RFID, or IoT environments should prioritize behavioral and procedural safeguards alongside technical measures. Enabling multi-factor authentication that incorporates non-wireless elements, such as biometric verification or physical tokens, adds a layer of protection beyond signal-based systems.^[72] Regular firmware updates for IoT devices and keyless systems are essential to patch known vulnerabilities that could facilitate relay exploitation, with schedules aligned to manufacturer recommendations.^[73] On the policy front, organizations can recommend or require insurance riders specifically covering relay theft under comprehensive auto policies, which typically reimburse for stolen vehicles regardless of forced entry evidence.^[74] Implementing awareness training programs to educate staff on signal booster devices used in relay attacks promotes vigilance and encourages reporting of suspicious activities near entry points. These practices complement technological countermeasures like ultra-wideband (UWB) systems for distance verification.^[75]

References

[1]
[PDF] A Primer on Relay Attacks and Distance-bounding Protocols
A relay attack is a form of man-in-the-middle where the adversary manipulates the communication by only relaying the verbatim messages between two parties.
[2]
On addressing RFID/NFC-based relay attacks: An overview
### Abstract
[3]
https://www.association-secure-transactions.eu/data-relay-attacks-increase-in-europe/
[4]
[PDF] Confidence in Smart Token Proximity:Relay Attacks Revisited
Aug 19, 2008 · During this active relay attack the adversary could also exploit an existing weakness in the security mechanisms of the system to modify the.
[5]
[PDF] Practical Relay Attack on Contactless Transactions by Using NFC ...
Relay attacks exploit the assumption that a token is close to a reader by placing a proxy-token in range and relaying communication to a proxy-reader. NFC ...Missing: seminal | Show results with:seminal
[6]
[PDF] Relay Attacks on Passive Keyless Entry and Start Systems in ...
An example of relay attack on RFID 3 has been shown in [22]. The attack consists of first demodu- lating the signal, transmitting it as digital information ...<|control11|><|separator|>
[7]
[PDF] Practical Experiences on NFC Relay Attacks with Android
A passive relay attack forwards the data unaltered, unlike an active relay attack [14]. In this paper, we focus on passive relay attacks. Relay attacks were ...
[8]
Radio Frequency 101: Can You Really Hack a Radio Signal?
Jun 16, 2025 · Replay attacks, which are analogous to man-in-the-middle (MITM) ... relay attack allows a signal to travel farther and be used at longer distances.
[9]
Radio-Frequency Attacks: Securing the OSI Stack
Oct 20, 2025 · Robust authentication methods, such as multi-factor authentication (MFA), metric verification, and one-time passcodes, can help to mitigate ...
[10]
[PDF] Jamming Attacks and Anti-Jamming Strategies in Wireless Networks
This article surveys existing jam- ming attacks and anti-jamming strategies in wireless local area networks (WLANs), cellular networks, cognitive radio networks.
[11]
KB5005413: Mitigating NTLM Relay Attacks on Active Directory ...
To prevent NTLM Relay Attacks on networks with NTLM enabled, domain administrators must ensure that services that permit NTLM authentication make use of ...
[12]
NTLM relay attacks are back from the dead - Help Net Security
Jul 4, 2025 · Relay attacks can be combined with authentication coercion attacks (like the Printer Bug or PetitPotam) that force the victim to make an ...
[13]
[PDF] Lock It and Still Lose It—On the (In)Security of Automotive Remote ...
Aug 10, 2016 · Relay attacks on passive keyless entry and start systems in modern cars. In Proceedings of the Network and Distributed System Security.
[14]
[PDF] SoK: Stealing Cars Since Remote Keyless Entry Introduction and ...
In Figure 2, we show the steps for the attackers (usually two partners) to relay the signal and steal a car. This attack targets all the legacy systems ...
[15]
https://eprint.iacr.org/2010/332.pdf
[16]
[PDF] Relay Attacks on Passive Keyless Entry and Start Systems in ...
We demonstrate relay attacks on Passive Keyless Entry and Start (PKES) systems used in modern cars. We build two efficient and inexpensive attack ...
[17]
HackRF One - Great Scott Gadgets
HackRF One from Great Scott Gadgets is a Software Defined Radio peripheral capable of transmission or reception of radio signals from 1 MHz to 6 GHz.
[18]
Revisiting Wireless Cyberattacks on Vehicles - MDPI
Proxmark 3 RDV4 [25] is a tool designed mainly for RFID analysis and research. It allows for testing, sniffing, replaying, and cloning devices such as RFID tags ...
[19]
[PDF] Measured Latency Introduced by RFNoC Architecture - GNU Radio
Radio Frequency Network-on-chip (RFNoC) is an open source framework to develop software-defined radio (SDR) applications that can run on an FPGA-embedded ...
[20]
German Espionage and Sabotage
... Espionage in the United States and Great Britain During World War II. New York: David McKay Company, 1971. Gimpel, Erich with Will Berthold. Spy for Germany.
[21]
RFID History: Development Timeline - Electronics Notes
The first developments were of electronic surveillance tags used for shop packaging. These very simple low cost devices were added to the outside of packages.<|control11|><|separator|>
[22]
RFID History: Background, Timeline & More - Peak Technologies
1990s. By the early and mid-90s, RFID was widely used for electronically collecting tolls on American roadways. This approach quickly became more efficient ...Missing: proliferation | Show results with:proliferation
[23]
Distance-Bounding Protocols - SpringerLink
Jul 13, 2001 · The “distance bounding” technique we introduce solves this problem by timing the delay between sending out a challenge bit and receiving back the corresponding ...
[24]
The History of RFID Technology
Jan 16, 2005 · In the early 1990s, IBM engineers developed and patented an ultra-high frequency (UHF) RFID system. UHF offered longer read range (up to 20 feet ...Missing: proliferation | Show results with:proliferation
[25]
[PDF] An RFID Distance Bounding Protocol - University of Cambridge
Radio-frequency identification tokens, such as contact- less smartcards, are vulnerable to relay attacks if they are used for proximity authentication.
[26]
Picking Virtual Pockets using Relay Attacks on Contactless ...
In this study we show that contactless smartcard technology is vulnerable to relay attacks: An attacker can trick the reader into communicating with a victim ...
[27]
Security Group: Chip & PIN (EMV) relay attacks
A demonstration of this attack was featured by BBC Watchdog on 6 February 2007. A video of the segment is available. Questions and answers.
[28]
Relay Attacks on Passive Keyless Entry and Start Systems in ...
Relay Attacks on Passive Keyless Entry and Start Systems in Modern Cars. Author(s): Aurelien Francillon , Boris Danev, Srdjan Capkun. Download: Paper (PDF).Missing: IOActive BMW Mercedes
[29]
'Relay crime' theft caught on camera - BBC
Nov 26, 2017 · This footage from West Midlands Police shows two men pulling up outside a victim's house in the Elmdon area of Solihull.Missing: attack | Show results with:attack
[30]
How thieves can steal a car in seconds without breaking in | Euronews
CCTV released by West Midlands Police show thieves stealing a car with the help of a relay box.
[31]
Keyless car theft: What is a relay attack, how can you prevent it, and ...
A relay attack usually involves two people working together. One stands by the targeted vehicle, while the other stands near the house with a device that can ...
[32]
CVE-2025-33073 Detail - NVD
CVE-2025-33073 Detail. Description. Improper access control in Windows SMB allows an authorized attacker to elevate privileges over a network. Metrics.
[33]
NTLM reflection is dead, long live NTLM reflection! – An in-depth
Jun 11, 2025 · In this article, we present CVE-2025-33073, a logical vulnerability which bypasses NTLM reflection mitigations and allows an authenticated ...
[34]
Revealed: car industry was warned keyless vehicles vulnerable to ...
Feb 25, 2024 · Experts alerted motor trade to security risks of 'smart key' systems which have now fuelled highest level of car thefts for a decade.
[35]
Keyless Car Theft Risk 2025 | Top Insurance Guides - WeCovr
Soaring Payouts: In 2024, UK insurers paid out an estimated £1.24 billion for all motor vehicle theft claims. · Frequency of Theft: The ABI reports that a car is ...
[36]
The UK's Most Stolen Cars in 2020 | Tracker™
Feb 15, 2021 · Analysis of how criminals stole cars in 2020 reveals that keyless theft has risen to an all-time high, with 93% of all recovered vehicles ...<|separator|>
[37]
Car thefts up 29% - experts warn it could rise more in 2023
Feb 23, 2023 · Car theft rose by 29 per cent between September 2021 and the same month in 2022, according to new figures from by the Office for National Statistics (ONS).
[38]
User Context Detection for Relay Attack Resistance in Passive ... - NIH
Aug 9, 2020 · These relay attack prevention methods focus on improving the proximity detection. Ranganathan et al. [10] concluded that various attacks ...
[39]
Automotive Keyless Entry System Market Size
Oct 13, 2025 · Over 75% of newly manufactured passenger cars in North America and Europe are now equipped with either remote or passive keyless entry ...Missing: percentage | Show results with:percentage
[40]
What is relay car theft and how can you stop it?
How does a relay attack work? You need three things: Your wireless key within transmitting distance of the car (sometimes up to 100m!) A person standing near ...
[41]
Keyless Entry is a Car-Thief's Dream: Is Yours on the List? - Autoblog
Jun 15, 2025 · Recent academic research confirms: remote keyless entry is now a main attack vector, and most automakers haven't kept up with the threat.
[42]
Which Keyless Cars Get Stolen the Most? | Automotive Car Keys
Apr 29, 2025 · Relay attacks cause over 80% of keyless cars thefts. Discover the 7 most stolen models and learn how Automotive Car Keys, Chicago's trusted ...
[43]
Keyless tech is contributing to wave in car thefts, say insurers - Which?
Jul 17, 2024 · Between 60% and 70% of of cars stolen in the past 12 months were keyless, according to data from Admiral, the UK's largest car insurer. Its ...
[44]
Car owners warned as keyless thefts continue to soar - Auto Express
May 2, 2025 · Crime survey data suggests almost two thirds of car thefts are committed by manipulating a vehicle's keyless access feature.<|separator|>
[45]
Car theft: 'In 60 seconds the car was started and driving out' - BBC
Aug 22, 2024 · Home Office figures show there were more than 133,000 offences recorded in 2023-24, a 12% increase compared with 2018-19. The government said ...
[46]
[PDF] Organised Vehicle Theft in the UK: Trends and Challenges - RUSI
Data from the UK Home Office indicates that incidences of vehicle theft have risen by 75% in the past decade. This increase. – combined with the emergence of ...
[47]
Real-World Car Theft: Attack Surface Analysis - PCA Cyber Security
Jun 13, 2025 · In 2020, hackers used a smartphone app to perform an NFC relay attack on Tesla by relaying communication between the vehicle and a key card over ...
[48]
Toyota Headlight Hack and CAN bus Thefts - Ted Law Firm
Oct 29, 2025 · This article explains how the CAN bus exploit works, why models such as the Toyota RAV4, Lexus RX, Toyota Land Cruiser, and Toyota C-HR are ...
[49]
CAN Invader Attack -- Unstoppable New RAV4 Car Theft Method
Nov 7, 2022 · It is widely used to steal 5th generation RAV4s and late model Lexus throughout England and Japan in the last few months. It is called a "Can Invader Attack".
[50]
A practical relay attack on ISO 14443 proximity cards - ResearchGate
In this paper, we study the way to adapt distance bounding protocols to time-hopping ultra wide band (TH-UWB) radios.Missing: rolling | Show results with:rolling
[51]
Weaknesses of the ISO/IEC 14443 protocol regarding relay attacks
In this paper, we will present a practical implementation of a relay attack based on systems using the widely used ISO/IEC 14443 standard. We use an off-the- ...
[52]
[PDF] Security of proximity identification systems
wants to execute an active relay attack since he can try to figure out when the system is transmitting data of interest by means of simple traffic analysis.
[53]
attacks - Are there any contactless (RFID/NFC) card vulnerabilities ...
Oct 13, 2020 · The NFC relay attack is still unresolved. Most of the attacks discovered against contactless payments work on top of the relay attack.<|control11|><|separator|>
[54]
https://www.blackhat.com/docs/us-15/materials/us-15-Fillmore-Crash-Pay-How-To-Own-And-Clone-Contactless-Payment-Devices.pdf
[55]
The Renaissance of NTLM Relay Attacks: Everything You Need to ...
Apr 8, 2025 · However, relay attacks can be executed with intention and precision when combined with authentication coercion attacks. Generally, the ...
[56]
NTLM relay | The Hacker Recipes
Jun 11, 2025 · One can relay LM or NTLM authentication messages over a certain protocol, say HTTP, over another, say SMB. That is called cross-protocols LM/NTLM relay.<|control11|><|separator|>
[57]
Security Advisory: MSRPC Printer Spooler Relay (CVE-2021-1678)
Jan 22, 2021 · NTLM relay is a common attack technique where an attacker that compromises one machine can move laterally to other machines by using NTLM ...Ntlm Relay Basics · Dce/rpc Relay · Fix AnalysisMissing: Nightmare | Show results with:Nightmare
[58]
https://support.microsoft.com/en-us/topic/kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429
[59]
Mitigating NTLM Relay Attacks by Default - Microsoft
Dec 9, 2024 · Since EPA or other channel binding mechanisms ensure that clients can only authenticate to their intended server, these mitigations play an ...
[60]
[PDF] State of Attack Path Management - SpecterOps
Jul 24, 2025 · In 2024, a financially motivated threat actor compromised multiple customer environments in. Snowflake. The breach originated from infostealer ...
[61]
Next Gen Lock: the Good, the Bad, and the Smart, Part II - Fortinet
Oct 7, 2016 · The relay attack on smart locks is really just a variation on the keyless car attack described. After a number of unexplained thefts of cars ...
[62]
[PDF] IoT Device (Zigbee) Security Study - Hkcert
This study covers Zigbee technology, including its network architecture, and security features within Zigbee technology.
[63]
[PDF] Opinion: Distance Bounding Under Different Assumptions
Distance-bounding protocols were introduced in 1993 as a coun- termeasure to relay attacks, in which an adversary fraudulently forwards the communication ...
[64]
[PDF] UWB-ED: Distance Enlargement Attack Detection in Ultra-Wideband
Feb 18, 2019 · For example, distance bounding protocols return an upper bound on the measured distance, armed by the fact that an adversary would not succeed ...
[65]
[PDF] Securing Phone as a Key Against Relay Attacks
More recently, Apple has announced. CarKey, which apparently will also make use of UWB in future versions [29]. 2.1 Relay Attacks against PKES. The verification ...<|separator|>
[66]
From Key Fob to UWB: How Hackers Hijack Vehicle Entry Systems
Jun 7, 2024 · In a relay attack, hackers position one radio device near the car and another near the real key. These radio devices essentially extend the ...
[67]
Prevent Keyless Car Theft (8 Quick Tips) & What Relay Theft is
Park your car in a garage overnight is ideal to stop keyless car theft, this increases the distance between your car and potential thieves trying intercept and ...<|separator|>
[68]
Where do you park your car keys? Preventing relay attacks - Driving.ca
Nov 5, 2021 · Storing key fobs in a metal container, like a can or toolbox, can help block the signal from detection as well. Article content. The gist?Missing: practical | Show results with:practical
[69]
https://driving.ca/features/feature-story/where-do-you-park-your-car-keys-preventing-relay-attacks
[70]
In-Depth Resource for Reducing the Risk of NTLM Relay Attacks
Apr 8, 2025 · Extended Protection for Authentication (EPA) strengthens NTLM relay attack defense by ensuring authentication requests are tied to specific ...
[71]
Securing PKES against Relay Attacks using Coordinate Tracing and ...
Securing PKES against Relay Attacks using Coordinate Tracing and Multi-Factor Authentication ... To minimize both vulnerabilities, we propose a coordinate ...
[72]
Best practices for IoT security | Network World
Mar 27, 2018 · To ensure strong security for IoT and IIoT, organizations would be wise to implement several best practices, as recommended by IEEE in a 2017 report.
[73]
Does Car Insurance Cover Theft? - Progressive
Comprehensive car insurance covers theft if the car is not recovered, and may cover damages if recovered. Liability and collision do not cover theft.
[74]
How to mitigate vulnerabilities in keyless entry systems
Oct 18, 2023 · Roll jam attacks record the rolling codes and jam the RF signal from the key fob, preventing it from reaching the car. This attack scenario ...