A row has erupted between car makers and security experts after half of new cars were criticised for having poor protection against the latest theft techniques.
Thatcham Research, which assesses the security of all new cars launched in the UK and sets vehicle insurance groups, rated six of 11 models released this year as “poor” or “unacceptable” in a newly introduced test.
But manufacturers have criticised the test and claimed it creates confusion around an already complicated issue.
As part of a move to address relay attacks, which are increasingly being used by car thieves, Thatcham has started to look specifically at the vulnerability of cars’ keyless entry and start systems.
Under the test, the Ford Mondeo, Kia ProCeed, Hyundai Nexo, Porsche Macan, Lexus UX and Toyota Corolla were all given a “poor” rating for failing to provide protection from vulnerabilities in their keyless systems.
The Porsche has since been upgraded after the German car maker clarified details of how its system worked.
Suzuki’s Jimny was also given an “unacceptable” rating, despite not offering keyless entry at all.
The standard ratings are superior, good, basic, poor and unacceptable. Four models were given “superior” ratings – the Audi E-tron, Jaguar XE, Range Rover Evoque and Mercedes B-Class – with the Macan now joining them.
While the test does not currently affect a car’s insurance rating it is due to be added to the New Vehicle Security Assessment test by 2021.
Stolen in seconds
Richard Billyeald, chief technical officer at Thatcham Research commented: “We’ve seen too many examples of cars being stolen in seconds from driveways. Now, any vehicle that is assessed against the new Thatcham Research Security Rating, and has a vulnerable keyless entry/start system, will automatically not achieve the best rating.
Read more: Keyless theft: How to beat the crooks
“Security has come a long way since vehicle crime peaked in the early 1990s. But the layers of security added over the years count for nothing when they can be circumvented instantly by criminals using digital devices. The shame is that most of the cars rated ‘poor’ would have achieved at least a ‘good’ rating had their keyless entry/start systems not been susceptible to the relay attack.”
However, the Society for Motor Manufacturers and Traders (SMMT) and a number of car makers have questioned the test and said it creates confusion around the current insurance rating test.
Mike Hawes, SMMT chief executive said: “We have serious concerns about this new system, which has been developed in isolation and appears to be at odds with Thatcham’s own insurance classification. It does not compare like with like, failing to differentiate vehicles with keyless and traditional entry systems in a combined rating and failing to distinguish between different model grades and specifications.
“It confuses rather than simplifies a very complex issue and will not help consumers.”
Richard Billyeald insisted the ratings were about clarity for consumers.
He said: “We want to empower consumers to help them understand the risk of the car they are buying.
We’re making it very clear to consumers that if you have a keyless entry system fitted to the car and there’s no fix for it it will get a poor rating. Whether the security of that car is very good otherwise – which in a lot of cases it is – if you fit that vulnerable system to the car you are at much higher risk.
“We’re also saying that Audi Jaguar Land Rover and, Mercedes have keyless systems that aren’t vulnerable so as a consumer you can make your buying choice.
“This about clarity for consumers and a message to manufacturers to say ‘the solutions are there, we’re seeing them applied to some cars, lets see them applied to everything’.”
Several manufacturers told the i that the issue was an industry-wide one and they were constantly working on improving vehicle security, but some also criticised the announcement.
Kia said: “Thatcham has not communicated with us on this testing procedure and has not outlined how this rating was achieved.
“Thatcham provided Kia Motors with a report on ProCeed security in February 2019 rating the car on security measures as achieving four stars out of a possible five.
“Without detailed explanation of how this result was arrived at Kia Motors rejects the rating based on the two factors above.
Hyundai pointed: “Thatcham did not officially test the NEXO for susceptibility to relay attacks as part of its standard security rating of the vehicle.
“This test was conducted on a pre-production prototype model which was not fitted with the full security equipment including deadlocks which are standard on cars available to customers.”
Suzuki pointed out that as the Jimny doesn’t have keyless entry or start it isn’t vulnerable to relay attacks the test is designed to check for.
A spokesperson added: “Prior to UK sales introduction in January of this year, the Jimny model had its assessment carried out against the then current New Vehicle Security Assessment (NVSA) criteria in December 2017. At the time of the assessment, the NVSA 2019 was still in draft format and not shared with Suzuki until April 2018. The new testing criteria is valid from 2021.”
Porsche said it welcomed “any initiatives that help us improve our systems” but insisted: “Our cars are engineered to a very high standard and we are proud of our record in meeting and exceeding global security standards. We have confidence that our vehicle counter-measures to avert theft are robust and that our customer’s cars remain secure.”
Thieves’ tools publicly available
Ford said that it was launching more sophisticated keys for its Fiesta and Focus models between now and May to address the vulnerabilities, with other models to follow. The motion-sensitive fobs deactivate after being still for 40 seconds, stopping relay devices from working.
It added: “Keyless entry technology, which is being overridden by thieves with boosters, relay boxes and other equipment available online, has been on Fords and competitor vehicles for over 10 years. Ford has campaigned that there is no lawful reason for any member of the public to possess or use booster and relay devices, yet they remain publicly available.”