- This is an $80,000 Tesla. And today, I'm gonna steal
it with this $20 gadget. But to even get my hands on this thing, I had to take a journey
into the dark underbelly of car hacking. (tense music) But today, we're gonna figure out how easy it really is for thieves
to hack into your car. Let's go. Thanks to Omaze for
sponsoring today's video. My name's Jeremiah Burton, and giving you the chance to
win this car is my business. I'm out here at the Peterson Museum in LA to give y'all the exciting news that the good folks over
at Omaze are giving you the chance to win this
Superformance MKIII-R. The taxes and shipping
included for US winners. Just go to omaze.com/donut22 to enter for your chance to win. This iconic American roadster is modeled after the iconic Shelby Cobra, designed by the legend
Carol Shelby himself. You ever heard of him? It's got a 7.3 liter
Ford Godzilla V8 engine, a five speed manual, and slithers down the road
with a striking 650 horsepower. Not to mention, if you win this you get to pick whatever root and tune and beautiful color you want. And to top off this happy sandwich, donations benefit the
Peterson Automotive Museum. That's where I'm at right now. A nonprofit that preserves
automotive history and its impact on the world. They work with underserved communities, boast educational programs and
lead preservation activities. And your donation will help them continue to build automotive history. So head on over to omaze.com/donut22 today to enter for your chance to win. Good luck. All right. Now, who do I have to talk to to get my catfish, Camaro, in here? Huh? Anybody around? You, ma'am, with the blazer. Nope? Nope? You're not... Nope? Okay, so I've been seeing a
lot of news articles lately about thieves hacking
into and stealing cars. And apparently, it's becoming
more and more common. So if these thieves can do it, is it something that I can figure out? Well, I did some research and the first thing I came across is something called a replay attack. Apparently, this is the
easiest way to hack into a car. And it works like this. When you hit the lock or
unlock button on your key fob, it sends a radio signal to your car, but that radio signal can
also be read by other devices. It's just out there in the ether just waiting for someone to capture it. And if you can capture that signal, theoretically, you could play it back and unlock a car without the key. And it turns out devices that
do this are super common. I found this one right here on Amazon. It's called a Software Defined Radio. So I'm gonna buy it and see if it'll actually
let me steal a car. And if not, I'll just
return it back to Amazon. No big deal. Okay, I've spent some
time with this software and I think I got it figured out. Now, the first thing I'm gonna
do is open up a new session and I'm gonna set my
frequency at 315 megahertz. Now that's important because
that is what every key fob in the United States transmits at. I'll do a start right here, and now this device right here
is looking for frequencies in the 315 megahertz range. Now, what I can do is
I can take my key fob, hit unlock, and this device
now picks up that signal. And what I can do is I
can save that signal. And if you look at it, this is the actual
signal, that actual code that's used to unlock my catfish, Camaro. What I can do is I can
play back that same code without this key fob and unlock my car. Well, let's go see if it works. Okay, so I'm outside
here next to my catfish. We got the catfish door, it's locked. Can't get in, but I have the code here
saved on my computer and fingers crossed, all I need to do is just hit play. It'll play that code and open the door. Let's see. Here we go. Three, two, one. (beeping) (tense music) Meh. Okay. All right. (cameraman chuckling) (Jeremiah laughing) Stop. All right Save it. Take two. Here we go. (beeping) Okay, what the... (car honking) Not doing it. Okay. Third time is a charm. Of course, it doesn't work off the jump. That would be too easy. Here we go. Three, two, one. (tense music) Did it work? Hey! There it goes. Heck, yeah. Okay, so that was pretty neat but that's me breaking into my own car. What if I break into someone else's car? James is over there. He's in a meeting. He's a little preoccupied. Let's see if I can get into his stuff. (upbeat music) Don't need those. Hey, James.
- Yeah? - I got something to show you. - You're gonna steal my car? (Jeremiah laughing) I know the video is about. I talked to... (Jeremiah laughing) - Go ahead. Go ahead, pull on that handle. Make sure it's locked. - It's locked. - Great. You know what I'm gonna do? I'm gonna unlock it. (beeping) (Jeremiah laughing) Yeah. All right, so what I did
is I took your key fob and I'm using this hack... Okay, but here's the
problem with replay attacks. This would never work
in a real life situation and that's because 99% of cars use something called rolling code. Every time you press the button
to lock or unlock your car, the code changes. So the code I captured with
this device will no longer work. Sorry, bad guys. Guess you're just gonna
have to use a brick. And you can see here, this code is different from this code. Once that code gets played,
I can no longer use it. See these, guys? These are different codes. They look different. See these two right here? That's like a fish, and this is like a pig. But there's an even bigger problem. I can break into the car,
but I can't start it. You still need a key to do that. And I wanna steal a car,
not just break into one. So replay attacks aren't gonna cut it. So I hopped back onto trustee old Google, and that's when I found
out about relay attacks. See, unlike old caveman
cars that use a key, most modern cars use something called passive keyless entry system. When the car detects your nearby, it sends a wake up signal to the key. The key then sends an encrypted
signal back to the car and the two trade codes several times, confirming they are the
right key for the right car. Once both are confirmed,
your car will unlock and then start. And this is where relay attacks come in. You can trick a car into
thinking it's key is closer than it actually is by
relaying the signal. It's kind of like a wifi range extender. So you're inside the supermarket buying flaming hot wonder bread. Yeah, it's a thing. It's pretty good. And it just so happens to
be a thief right next to you boosting the signal from your
key, sending it to his buddy who's standing near your car outside. By the time you get outside,
your car's been stolen. So all I got to do now is buy
one of these relay devices. Unfortunately, I can't find one online, so I'm gonna have to do the
thing I said I would never do when they created the internet, and that is buy something on the dark web. (tense music) (upbeat music) Oh, sick. Best prices in USA from developer, high quality, tested
on more than 200 cars, worldwide free shipping,
keyless repeaters. Let's see how much these things cost. $15,000? Where does this guy has his freaking mind? We can't afford that. Let's see if I can get... Let's see if the guy
will let me borrow one. So I messaged to see
if we could borrow one but I didn't get a response. So if buying one isn't an option, what about building one? So I started doing some more research. And it turns out all I have to do is build
a custom radio device and program it to receive an encrypted 125
kilohertz wake up signal from the car, up sample, and retransmit
that at 2.5 gigahertz to the key. Receive the 350 megahertz
in coded response, up-sample that two point
and a half gigahertz. Transmit it back to the car, which see the next coded of response in the sequence before the 100
millisecond timeout interval. Okay. Actually this was way
harder than I thought. And at this point I spent literal weeks trying to figure this out. And I haven't gotten any
closer to stealing a car than when I started. I've been spending so many hours, just roadblock after
roadblock, pounding my head, but I can't just fail. I'm not a failure. I got to get to stealing a car or else this video is gonna suck. (tense music) Luckily for me, I found
this really smart guy, smarter than me, his name is Sultan. So Sultan is a security researcher who hacks into stuff to
expose vulnerabilities. And I actually came across
him in a news article while I was researching for this video. He discovered a new kind of relay attack that works on cars like Teslas. So he's flying out here
right now from Canada to show me how it's done. And of course, Murphy's Law, the day he got here, I got mega diarrhea. So Justin took over for me. Don't eat ceviche when it's hot. - Sultan is a Bluetooth hacking expert, and he discovered a huge vulnerability in keyless entry technology, specifically phone as a key. That's when you use your phone to replace the key of your car. And this is something that
a lot of car companies are starting to utilize, including Tesla. The relay attack has
been around for a while. So how is this Bluetooth
one different from that? - The basic concepts are the same, in that making you're
making the two sides think they're close to each other. But the difference is that with Bluetooth, it's switching frequencies all the time, and there is some more complexity in handling the frequency
hopping and direction switching. I mean, I just used free
software off-the-shelf hardware. I mean, you could make a
relaying device for like $10. And you need two of those. So let's say 20 bucks
making a basic versions of attack is feasible. - [Justin] How close does the
device actually need to be to the phone key or the car? - I've experimented
with this a little bit, and there was like 15 meters
away when I was testing. With some devices, if there weren't strict latency limits, they could even be on
opposite sides of the planet. - Wow. That's impressive. Let's go see this thing in action. I'm excited. - Yes. - All right. So we are outside with this locked Tesla. Jimmy has a phone inside over 50 feet away that has the Bluetooth
access to this vehicle. So just to prove to you that it's locked, the mirror is folded in, the car is asleep, security mode is on. So we're gonna go ahead and
see if this thing works. Are you guys ready? - Yeah. - Steal a damn Tesla!
- Steal it! Steal it! (tense music) - All right. Activate the device. Here we go. (tense music) - Okay, press enter on your end. - All right. It's doing stuff on the screen. (beeping) (tense music) - Vice has been activated. - Uh-oh. (tense music) (people cheering) (Justin laughing) - But this is just step one. We got to drive away in this thing. - [Jimmy] Did you guys take my Tesla? - Your Tesla is about to disappear, Jimmy. (tense music) (beeping) (people cheering) Fix it, Elon. (people clapping) (upbeat music) - This makes me happy. - Real Mechanic Stuff. Really excited about these shirts. I love the design. They're now available at donutmedia.com. Just get one if you wanna look cool. Don't worry, dude. I got you. Real Mechanic Stuff. - So that was absolutely nuts. We just stole this Tesla for $20. Guys, I am telling you, please
turn your Bluetooth off. It's a simple fix to
alleviate this problem. Follow Donut at Donut Media. Follow me at Justin Freeman on Instagram. Like and subscribe. Thank you for watching. Y'all have a good one.
