When Steve Jessopâs electric Hyundai car was stolen outside his west London house on a rainy day earlier this month, he appealed to neighbours for potential footage of the crime.
He quickly secured a CCTV video and was stunned at the ease with which his car had been taken. A hooded figure approached it, opened the doors without forced entry, started the engine and drove off.
Jessopâs car had gone in 20 seconds. The keys to his Hyundai Ioniq 5 were still inside his house and there was no sign of an accomplice.
âIt was just incredible,â said Jessop. âI looked at it and thought: how did that happen? I genuinely thought with all the technology in this car that no one could steal it.â
Jessop got no further clues from the Metropolitan police. He filed a report on the night of the theft on 8 February and was told by email at lunchtime the next day the case had been closed.
While Jessop was left mystified at how his car had been stolen, motor industry sources who spoke to the Observer last week were less surprised.
They revealed that hi-tech devices disguised as handheld games consoles are being traded online for thousands of pounds and are used by organised crime gangs to mimic the electronic key on an Ioniq 5, opening the doors and starting the engine.
The device, known as an âemulatorâ, works by intercepting a signal from the car, which is scanning for the presence of a legitimate key, and sending back a signal to gain access to the vehicle. Many owners of Ioniq 5s, which sell from around £42,000, now use steering locks to deter thieves.
Hyundai says it is looking at measures to prevent the use of emulators âas a priorityâ. But it is not the only carmaker whose vehicles appear to be vulnerable. An Observer investigation found that models by Toyota, Lexus and Kia have also been targeted.
British motorists now face an increase in the number of thefts and rising insurance premiums. (Even before Jessopâs car was stolen, his annual car insurance premium had risen from £574 to £2,240.) Car thefts are at their highest level for a decade in England and Wales, rising from 85,803 vehicles in the year to March 2012 to 130,270 in the year to March 2023 â an increase of more than 50%.
Part of the reason, say experts, is the rise of keyless entry. Push-button keyless entry fobs for cars were first introduced in the 1980s and by the late 1990s car manufacturers were introducing keyless ignition systems, but this was generally restricted to luxury cars. Subsequently, modern âsmart keyâ fobs, which unlock the car when the owner approaches without the need to press a button, have become more common, offering new security loopholes for crime gangs.
Motoring lawyer Nick Freeman said: âThere is a strong legal argument to say these cars are insecure and not fit for purpose. The motoring industry has been negligent. It has failed to prioritise security and motorists are paying the price.â
An Observer investigation has found how the industry was warned more than a decade ago of problems in the software it was deploying in cars. A report in 2011 from the University of California and the University of Washington warned of the security vulnerabilities of modern cars, implementing an âattackâ to âunlock the doors [and] start the engineâ.
The next year, Stephen Mason, a retired barrister and co-editor of the book Electronic Evidence and Electronic Signatures, warned in an issue of Computer Law and Security Review that there was an âincreasing amount of technical literature on how keyless entry systems can be undermined successfullyâ. He warned of the risk of ârelay attacksâ on smart key systems. A thief using this technique can use software to extend the range of the signal the key is broadcasting â even if it is inside a home â activating the unlocking sequence and allowing the car to be driven.
By early 2015, the Met was warning that 6,000 cars and vans a year were being stolen without the keys. Last year insurance company Aviva said owners of modern keyless vehicles were twice as likely to make a theft claim. The Met also identified car models âvulnerable to new theft devicesâ which included the Kia Niro and the Hyundai Ioniq.
Ben Pearson, a former traffic officer with West Yorkshire police and adviser to Nextbase, a dashcam maker, said most of the car thefts he dealt with during his last year with the force in 2020 involved relay attacks on keyless-ignition vehicles. He said: âItâs amazing that you donât need any training and you can steal someoneâs car in seconds.â
Another common attack is to hack into the vehicleâs onboard diagnostic port, which is typically under the dashboard and allows access to the vehicle computer systems via a connector for various tasks. It can be used by thieves to programme a new key linked to the vehicle, but they need to find a way to gain entry to the car first.
Martin East, 58, an engineer from Crowborough, East Sussex, had his 2011 Audi S4 stolen last month without the keys, but police have since recovered it. âI wasnât aware a thief could plug into the onboard diagnostics until a few weeks ago, but the industry has been aware for 10 years,â said East. âI think theyâve been lazy.â
The car industry has implemented various software security upgrades in recent years, but faces criticism for responding too slowly to warnings. Jaguar Land Rover announced a £10m investment to upgrade commonly stolen models built between 2018 and 2022 after a spate of thefts, and complaints from owners that their vehicles were in effect uninsurable.
Last year, Ken Tindell, a vehicle technology specialist at the software consultancy JK Energy, demonstrated how a thief could gain access to the systems of a vehicle via wiring behind the headlight, and exploit a vulnerability to unlock the car and start the engine. The device he obtained was promoted with the claim it could target some Toyota and Lexus vehicles.
Tindell said he had raised his security concerns more than a decade ago with the industry. âThe prevailing view was that criminals are nowhere near educated and smart enough to break into the internal car electronics,â he said. âWhat they didnât realised was that somebody would make a box and automate it all for them.â
The Observer last week found a range of devices for âprogramming keys and emergency startsâ being promoted online for up to £5,000. The âsmart deviceâ claims to cover a wide range of manufacturers.
Steve Launchbury, principal engineer at Thatcham Research, a risk intelligence organisation funded by the UKâs insurance industry, said: âIn the old days, there was an effort involved in forcing entry into a vehicle. These devices tend to do it all for you. The industry should be looking to close the vulnerabilities more quickly.â
Launchbury said the advice to motorists was to inform themselves about their vehicleâs security systems and features and, where under manufacturerâs warranty, to consult that manufacturer before installing any electronic theft prevention measures. He said trackers and steering locks could both be effective.
The Met said it ârecognises the impact that motor vehicle crime can have on victims,â adding: âAny allegation of crime reported to the police will be assessed to see if there are any viable lines of inquiry including forensic opportunities that can be progressed.â
Hyundai Motor UK said: âWe are aware of a small number of Ioniq 5 thefts. This is an industrywide issue. The criminals appear to be using devices to illegally override smart key locking systems. Hyundai is working closely with law enforcement in the UK. To date, we have helped to recover around 75% of vehicles. We are looking as a priority at a number of measures to help prevent or deter these criminal acts.â
Kia did not respond to a request for comment. A spokesperson for Toyota, which owns Lexus, said: âToyota and Lexus are continuously working on developing technical solutions to make vehicles more secure. Since introducing enhanced security hardware on the latest versions of a number of models, we have seen a significant drop-off in thefts. For older models we are currently developing solutions.â
The Society of Motor Manufacturers and Traders (SMMT) said that rising theft was not caused by alleged failures in car security, but organised crime groups. The SMMT said vehicle security was a âcrucial priorityâ for the industry, which was working to reduce vehicle theft, but that it was in an âarms raceâ against criminals.
