For the better part of a decade, car theft in the UK has been running on a dirty open secret. You could walk into any Telegram channel, drop €15,000 on a device that looks like a game console, and drive away in a Hyundai Ioniq 5 in under 20 seconds. Not because you’re a skilled thief — because you bought a signal emulator.
That open secret just got a lot harder to keep.
The Crime and Policing Act 2026, now law with royal assent, bans the possession and distribution of electronic devices used to hack vehicles. Maximum penalty: five years and an unlimited fine. It’s the first UK legislation to directly address the hardware side of the keyless theft epidemic — and it’s about time.
The Numbers Tell the Story
Vehicle theft has jumped 60% in the UK over the past decade, and the Home Office estimates these devices are behind 40% of those thefts. That’s not opportunistic joyriding anymore — that’s organised crime operating an industrial-scale supply chain for digital break-in tools.
These aren’t sophisticated zero-days. Relay attacks work because keyless fobs are always broadcasting, always listening. A booster device captures the fob’s signal from inside a house (yes, through walls) and relays it to a transmitter near the car. The car thinks the key is right there. Door opens, engine starts, car gone. Total exploit time: 20 seconds. Required skill level: none.
If you’ve ever wondered why your neighbour’s Ioniq 5 has a steering wheel lock despite a £45,000 price tag — this is why.
The Hyundai Factor
Elliott Ingram’s Hyundai Ioniq 5 was stolen from outside his London home in February 2025 using exactly this method. He’s now suing Hyundai Capital UK, arguing the manufacturer knew about the vulnerability since October 2023 and failed to warn customers. Hyundai’s response? A £49 subsidised software and hardware upgrade — not free — offered on vehicles that sold for upwards of £40,000.
Hyundai says “Ioniq 5 was sold from launch in 2021 with all the latest security technologies applied” and that “no vehicles were reported stolen using this particular form of keyless theft until late 2023.” That’s a carefully worded dodge: they’re not saying no customers were affected, they’re saying no one reported it. And the vehicles placed in market from February 2024 now have updated hardware — which quietly admits the original had a gap.
Thatcham Research CEO Jonathan Hewett called the new legislation “a landmark moment,” noting that prosecuting someone carrying one of these devices was previously “very difficult unless it could be linked to a specific reported crime.” Translation: catching thieves in possession of a signal emulator meant proving they’d already used it for theft — a chicken-and-egg problem that made enforcement nearly impossible.
What This Means for Automotive Security
This law does more than deter thieves. It puts automakers on notice. Here’s why that matters:
The software-defined vehicle is here. Modern cars are basically computers on wheels with increasingly complex wireless attack surfaces — keyless entry, OTA updates, smartphone-as-key, telematics. Every new convenience feature is another potential relay point. The industry has been treating vehicle security reactively, and the gap between “we didn’t know” and “we should have known” is narrowing fast.
The supply chain for these devices is global and digital. The ban will push distribution further underground, but the Russian marketplace still advertising a €15,000 key emulator isn’t going anywhere. What changes is the domestic risk calculus — carrying one in the UK now carries real consequences.
Manufacturer liability is the next front. Ingram’s lawsuit isn’t an outlier. When a known and documented vulnerability exists, and the fix costs £49 per vehicle, and the baseline theft rate has spiked 60% — plaintiffs’ lawyers are going to notice. The new law creates a clearer legal framework for holding distributors accountable, but it also sharpens the question of who’s responsible for the original vulnerability.
The Harder Problem
Banning the hardware is a good first step. But it addresses the tool, not the systemic issue: the car industry’s approach to digital security is still catching up to the threat model.
Keyless systems that constantly broadcast their presence are a design choice, not a law of physics. Ultra-wideband (UWB) technology, already available in newer vehicles, uses precise time-of-flight measurement to detect relay attacks — if the signal takes too long to arrive, the car knows something’s fishy. But hardware updates take years to roll out, and the installed base of vulnerable vehicles will be on the road for another decade.
The real transformation happens when automakers start treating security as a core design constraint rather than an aftermarket upgrade. The UK’s ban raises the floor. Now the industry needs to raise the ceiling.
For anyone driving a keyless car today: buy a Faraday pouch for your fob. Park in a garage if you can. And if you drive a pre-2024 Ioniq 5, that £49 upgrade might be the best money you spend this year.
The signal hijackers just lost their legal gray area. But the arms race between car security and car thieves isn’t over — it’s finally being fought in public.
Source: The Observer
