[wolrah]

> Then, when you have received at least one lock and unlock request for a car, start retransmitting lock and unlock requests, but delayed by one request.

For this story to play out with a non-spoofable implementation the attackers would have to be present for and able to jam/intercept every use of the fob between the first one in their sequence and the present.

I'm not saying it's not technically possible, but any use of the fob that slips through the cracks resets the sequence so if the target takes the vehicle somewhere else or even just uses the fob while close enough to not be jammed the idea falls apart. Unless the target is in the habit of going back out to their parked car to retrieve things and then locking it back up it seems like that'd be a rare catch.

> (the car only needs to see to fob present briefly to start the engine, but I believe that bit is done with a relay attack. I see the guys who do this waving their suitcase antenna around peoples doors regularly).

Relay attacks on pushbutton start vehicles are an entirely different matter as they do involve two-way communication and if you have the ability to start a car with one you also have the ability to unlock it with the same method. I'm just talking about traditional long range one-way fobs here.