How Relay Theft Works in South Africa · The 30-Second Attack

A car is stolen every 22 minutes in South Africa (King Price, 2026). A growing share of those thefts happen at the owner’s home, in the middle of the night, with the keys still hanging on the hook in the kitchen.

The method is called a relay attack. It’s been around since 2011 in academic papers, has been weaponised for the SA market since around 2017, and is now mature enough that the equipment costs less than a decent set of golf clubs. The South African Insurance Crime Bureau flagged in 2022 that keyless-entry vehicles were already more likely to be stolen than older vehicles — the opposite of what you’d expect.

Here’s exactly how it works, why your factory immobiliser doesn’t stop it, and what does.

The 30-second mechanism, step by step

Your factory keyless-entry fob is a low-power radio. When you walk up to the car, the car broadcasts a short-range “is anyone there?” ping. Your fob hears the ping and responds with an authentication code. The car checks the code, recognises it, and unlocks. The same handshake happens again when you press the start button.

The range of that handshake is intentionally small — usually 1 to 2 metres. The car doesn’t unlock when you’re inside the house because your fob is too far away to hear the ping.

A relay attack defeats the distance limit, not the encryption.

What the thieves carry

Two radios, paired. One acts as a “relay-in” antenna, the other as a “relay-out.” They communicate with each other over a longer-range frequency (typically 2.4 GHz or LoRa).
A long-range link between the two radios — up to 100 metres between thief and accomplice.
Optional: a signal amplifier built into one of the radios, to boost a faint fob signal that’s further inside the house.

That’s it. The whole kit fits in two coat pockets. SA examples have been confiscated by SAPS in matchbox-sized 3D-printed enclosures.

The attack, second by second

T+0s. Thief A stands at your car. Thief B walks slowly along the front of your house, holding the relay-in antenna near the wall, listening for your key’s faint signal.
T+5s. Thief B’s antenna picks up the signal — even if your fob is inside, in a drawer, on a hook. The signal is amplified and re-transmitted across the long-range link to Thief A’s relay-out.
T+10s. Thief A presses the door handle of your car. The car broadcasts the “is anyone there?” ping. The relay-out radio re-broadcasts it. The car’s computer thinks the key fob is right next to it.
T+12s. Your fob, inside the house, responds. Its signal is captured by the relay-in antenna and re-broadcast at the car. The car authenticates. Door unlocks.
T+18s. Thief A gets in, presses the start button. Same handshake. Engine cranks.
T+30s. Car drives off. Thief B is already in the passenger seat or in the chase vehicle. You don’t wake up.

By the time the car is reported missing 4 hours later, it’s already across a provincial border — or sitting in a chop shop in another suburb with the VIN being changed.

Why your factory immobiliser doesn’t help

Factory immobilisers were designed in the 1990s to stop hot-wiring. They work by refusing to start the engine unless they receive a valid authentication code from the key. That’s the entire model: valid key code = trusted driver.

The relay attack doesn’t break the code — it forwards the real one. From the factory immobiliser’s perspective, the right key is in the car. There is no “but is the key really here?” check. There was no reason to build one in 1995.

The factory immobiliser doesn’t verify the driver. It verifies the key. The relay attack proves those are not the same thing.

The vehicles most at risk in SA

Any car with a proximity-unlock or push-button start fob is exposed. The South African data shows the heaviest exposure on:

Toyota Hilux — SA’s #1 stolen vehicle for eight years running, including keyless trim levels (Cartrack ZA).
Ford Ranger — particularly Wildtrak and Raptor trims, both keyless-entry standard.
Toyota Fortuner — same platform, same vulnerability profile as the Hilux.
VW Polo & Polo Vivo — high-volume targets, particularly in metro areas.
BMW 3 Series, Audi A3/A4, Mercedes-Benz C-Class — premium trims with all-keyless smart-entry are particularly exposed.

Older vehicles with a mechanical key blade and a separate immobiliser transponder are less exposed to relay specifically — but more exposed to CAN-bus diagnostic theft, which is its own briefing.

What actually stops a relay attack

There are four real countermeasures. None of them is your factory alarm.

1 · Faraday pouch (partial)

A Faraday pouch is a metal-mesh-lined wallet that blocks RF signals. Drop your fob inside, and the relay antenna gets nothing to amplify. It’s the cheapest fix on the market — under R200 — and it works.

The catch: it only works when the fob is in the pouch. Most people use it for the first three weeks, then leave the fob on the kitchen counter when they get home tired. We’ve seen this pattern in customer post-incident interviews enough times to call it the default failure mode.

2 · Steering lock (deterrent only)

A bright-yellow visible steering lock raises the time-cost of the theft from 30 seconds to 5 minutes. That’s enough to push opportunistic thieves toward a softer target. It does not stop an organised syndicate — they carry angle grinders.

3 · Tracker (recovery only)

A tracker doesn’t stop the car leaving. It tells someone where the car is afterwards. SA recovery rates with a tracker fitted sit at ~82% versus ~35% without (King Price, 2026). That’s a huge gap — but it’s not prevention. The car comes back stripped if it comes back at all, and your no-claim bonus is gone either way.

4 · A second authentication layer that doesn’t use the key

This is the prevention layer. The car requires a second authentication — independent of the fob — before the engine will crank. The relay attack passes the factory check, but the second check has nothing for the relay to forward. The engine refuses.

This is what carGuardian does. Your private PIN is tapped on existing factory dashboard buttons (steering wheel, climate, radio). The sequence is checked locally inside the unit, behind the dashboard — the PIN itself never travels off the vehicle, so there is nothing for a relay box to amplify across your driveway. The optional encrypted keyfob uses 128-bit Bluetooth, sleeps via accelerometer until physically moved, and has range measured in metres, not kilometres. Mechanism walkthrough on the homepage.

The honest line

No single layer covers everything. carGuardian closes relay attacks, key cloning, and CAN-bus diagnostic theft — the three modern methods that take most of SA’s keyless vehicles. It does not stop a flatbed-tow theft. That’s your tracker’s job. carGuardian + your existing tracker is the layered answer.

If you’ve made it this far and your car’s on the at-risk list above, the honest next step is two minutes on the compatibility checker.

Stop the relay

Engine refuses to crank without your PIN · no PIN, no engine

R7,499 once-off fitted. No monthly subscription. Three independent auth methods (PIN, encrypted keyfob, smartphone app). 186 of 500 founding slots remaining · price locked until 30 June 2026.

Book My Installation Talk on WhatsApp

Sources

King Price · Car theft statistics in South Africa (2026)
Cartrack ZA · Most-stolen car this year in SA
Tracker SA · Vehicle crime statistics
Mike Bolhuis · How criminals clone keys in SA
Track-Recovery · Relay attacks technical breakdown
South African Insurance Crime Bureau (SAICB) keyless-vehicle theft commentary, 2022.
SAPS Quarterly Crime Statistics, Q1 2025 release.