Lexus, Toyota, Ford and Porsche panned for 'poor' keyless car security

clock • 3 min read

Jaguar, Audi, Mercedes and Land Rover security considered 'superior' by experts at Thatham Research

Keyless car security systems in Lexus, Toyota, Ford and Porsche cars have been labelled ‘poor' following a test by experts at Thatcham Research. And security on the Suzuki Jimny was found to be so bad that Thatcham labelled it "unacceptable".

The poor security of the vehicles leaves them vulnerable to relay attacks, whereby thieves use wireless devices to activate cars' remote central locking keys, opening vehicles' doors and enabling them to drive off.

Thatcham's latest research is the result of tests on eleven new cars conducted as the company launches a new rating system intended to provide better guidance on their security. Traditionally, it has focused on security systems rather than cars.

Six of the eleven models it reviewed were classified as ‘poor', with the £15,000 Suzuki Jimny coming bottom with security labelled as ‘unacceptable'. The Jimny was the cheapest car tested, with its passive keyless fob an optional extra. However, even some expensive, luxury vehicles flunked Thatcham's tests.

Vehicles with security labelled poor include the Ford Mondeo (starting price £21,495), Hyundai Nexo (£69,495 - this is not a typo), Kia ProCeed (£23,835), Lexus UX (£29,900), Porsche Macan (£46,344), and the Toyota Corolla Hybrid (£21,300).

While the Suzuki Jimny came bottom, its keyless fob is an optional extra that buyers can choose not to have. Nevertheless, Thatcham found that its security performed "badly across all criteria" and missed "fundamental security features" that consumers have a right to expect.

Four cars, though, enjoyed ‘superior' security ratings. They were the Audi e-tron, Jaguar XE, Land Rover Evoque and Mercedes B-Class.

Their ratings were the result of the companies' positive response to research released in recent years warning of security flaws in keyless fob car entry and ignition systems, and building-in mitigations to reduce the risk of relay attacks

"We've seen too many examples of cars being stolen in seconds from driveways. Now, any vehicle that is assessed against the new Thatcham Research Security Rating, and has a vulnerable keyless entry/start system, will automatically not achieve the best rating," warned Thatcham chief technology officer Richard Billyeald.

He continued: "Security has come a long way since vehicle crime peaked in the early 1990s. But the layers of security added over the years count for nothing when they can be circumvented instantly by criminals using digital devices.

"The shame is that most of the cars rated ‘Poor' would have achieved at least a ‘Good' rating had their keyless entry/start systems not been susceptible to the relay attack."

Thatcham Research tests and rates car security systems, with its research used by the insurance industry in the UK. It is now rating the security of vehicles, rather than just third-party alarm and immobiliser systems, using five categories: 'superior'; 'good'; 'basic'; 'poor'; 'unacceptable'. Thatcham's tests and ratings will almost certainly affect insurance premiums when they are completed.

The threat of relay attacks on cars' passive keyless fob systems is not new, but has been highlighted by a recent increase in car thefts.

You may also like
NSO's Pegasus spyware used to hack exiled Russian journalist


Galina Timchenko led a media outlet Moscow declared ‘undesirable’

clock 14 September 2023 • 2 min read
We tried ChatGPT for vulnerability fixes. Most flaws are too complex for generative AI alone

Security Technology

An experiment with ChatGPT 3.5 found that 80% of code fixes were unusable or introduced new vulnerabilities

clock 12 July 2023 • 4 min read
Windows 11: Can modern tools preserve company culture in the hybrid world?


IT leaders endorse hybrid work, but digital can’t replicate the in-person environment - yet

clock 24 April 2023 • 7 min read

More on Security

Cyber? We can't get the staff say UK IT leaders

Cyber? We can't get the staff say UK IT leaders

'Just having some more bodies in the team would be useful'

John Leonard
clock 05 July 2024 • 3 min read
Microsoft 365 emails vulnerable to newly discovered exploits

Microsoft 365 emails vulnerable to newly discovered exploits

Security woes continue

Penny Horwood
clock 20 June 2024 • 2 min read
Cyber gang shifts focus to SaaS apps

Cyber gang shifts focus to SaaS apps

‘Scattered Spider’ is targeting vSphere, Salesforce, Crowdstrike and more

Vikki Davies
clock 18 June 2024 • 2 min read