how to defeat relay attack with simple metal box https://youtu.be/SSNX4o2RGK8

"I've always wondered myself about keyless tech safety for this exact reason. How can the signal not just be copied and replayed?"

Well, I can't say for certain, but if I was designing it, the signal wouldn't be the same every time. Basically, you would have an algorithm that generates a signal (essentially a large number encoded as a binary stream) based on a seed and the current time.

The seed is unique to the car and the key.

So when you press the button, the key does something like

entryCode = SomeComplexAlgorithm(seed, time())

so the car would do something like

entryRequest = GetSignal()
checkedRequest = SomeComplexAlgorithm(sameSeedAsKey, time())
if (checkedRequest == entryRequest) Unlock()

That's obviously a vast oversimplification (not sure how they'd get around the time sync), but you get the idea.

What surprises me here is not that the car starts, but that it doesn't cut out once it gets out of range of the key. Even a strong relay would only have a short range (1-2km at most?).

The key is only needed to unlock the door and press the "start" button inside. At least with Honda (not sure of others), the car will only start beeping when the key gets out of range, it won't turn off or anything (probably for safety reasons).
Also with Honda, you have to press your foot on the brake in order for the start button to work. I have seen other makes where this is not required.

I would assume that if these thieves have the tech to create the relay boxes, they also have to the tech to reprogram replacement keys for the stolen vehicle (otherwise how will they sell it on? unless it's just parted out)

Wow, you would have thought that starting the car would require proximity to the key as well. That seems like a really basic security flaw.

What happens if you leave the car unlocked (or worse, the door or window is open?

I'm surprised that these things put out a strong enough signal to get out of the house. Maybe build a case for the fob that cuts off the signal unless you hit a button and exposes enough of it for the signal to get out?

*news

Adding video to channels (News) - requested by ant.

Sorry, last message was ambiguous - you need the key fob to be in close proximity to both unlock, and to press the start button.
From the video, the thief driving the car takes his box inside the car as well, which would mimic the key in order to start it as well.

in @eric3579's 1st reply above, there is video of such a box that prevents this attack. Similar idea to a 'faraday cage', but they found that cardboard box lined with aluminum foil was most effective.