We can't afford that. Let's see if I can get...Let's see if the guy will let me borrow one. So I messaged to see if we could borrow one but I didn't get a response. So if buying one isn't an option, what about building one? So I started doing some more research and it turns out all I have to do is build a custom radio device and program it to receive an encrypted 125 kilohertz wake up signal from the car, up sample, and retransmit that at 2.5 gigahertz to the key. Receive the 350 megahertz in coded response, up-sample that two point and a half gigahertz. Transmit it back to the car, which sees the next coded of response in the sequence before the 100 millisecond timeout interval.

Okay. Actually this was way harder than I thought. And at this point I spent literal weeks trying to figure this out. And I haven't gotten any closer to stealing a car than when I started. I've been spending so many hours, just roadblock after roadblock, pounding my head but I can't just fail. I'm not a failure. I got to get to stealing a car or else this video is gonna suck.

(tense music)

Lucky for me, I found this really smart guy, smarter than me, his name is Sultan. So Sultan is a security researcher who hacks into stuff to expose vulnerabilities and I actually came across him in a news article while I was researching for this video. He discovered a new kind of relay attack that works on cars like Teslas. So he's flying out here right now from Canada to show me how it's done.

And of course, Murphy's Law, the day he got here, I got mega diarrhea. Justin took over for me. Don't eat ceviche when it's hot.

-Sultan is a Bluetooth hacking expert and he discovered a huge vulnerability in keyless entry technology, specifically phone as a key. That's when you use your phone to replace the key of your car and this is something that a lot of car companies are starting to utilize, including Tesla. The relay attack has been around for a while. So how is this Bluetooth one different from that?

- The basic concepts are the same in that making you're making the two sides think they're close to each other. But the difference is that with Bluetooth it's switching frequencies all the time and there is some more complexity in handling the frequency hopping and direction switching. I mean, I just used free software off-the-shelf hardware. I mean, you could make a relaying device for like $10. And you need two of those. So let's say 20 bucks making a basic version so of attack is feasible.

- How close does the device actually needs to be to the phone key or the car?

-I've experimented with this a little bit and there was like 15 meters away when I was testing. With some devices if there weren't strict latency limits they could even be on opposite sides of the planet.

-Wow. That's impressive.

Let's go see this thing in action. I'm excited.

- Yes.

All right. So we are outside with this locked Tesla. Jimmy has a phone inside over 50 feet away that has the Bluetooth access to this vehicle. So just to prove to you that it's locked the mirror is folded in the car is asleep security mode is on. So we're gonna go ahead and see if this thing works. Are you guys ready?

- Yeah.

Steal a damn Tesla!

- Steal it! Steal it!

(tense music)

All right. Activate the device here we go.

Okay, press enter on your end.

- Okay. It's doing stuff on the screen.

- Uh oh.

(tense music)

Vice has been activated.

Uh-oh.

(tense music)

People cheering

Justin laughing

But this is just step one. We got to drive away in this thing.

Did you guys take my Tesla?

Your Tesla is about to disappear Jimmy.

(tense music)

People clapping

Fix it, Elon.

People clapping

Upbeat music

- This makes me happy.

Real Mechanic Stuff. Really excited about these shirts. I love the design. They're now available at Donut media.com. Just get one if you wanna look cool. Don't worry dude. I got you.

Real Mechanic Stuff

So that was absolutely nuts. We just stole this Tesla for $20. Guys, I am telling you please turn your Bluetooth off. It's a simple fix to alleviate this problem. Follow Donut at Donut Media. Follow me at Justin Freeman on Instagram. Like and subscribe. Thank you for watching. Y'all have a good one.

WEBVTTKind: captionsLanguage: en- This is an $80,000 Tesla.And today, I'm gonna stealit with this $20 gadget.But to even get my hands on this thing,I had to take a journeyinto the dark underbellyof car hacking.(tense music)But today, we're gonna figure out how easyit really is for thievesto hack into your car.Let's go.Thanks to Omaze forsponsoring today's video.My name's Jeremiah Burton,and giving you the chance towin this car is my business.I'm out here at the Peterson Museum in LAto give y'all the exciting newsthat the good folks overat Omaze are giving youthe chance to win thisSuperformance MKIII-R.The taxes and shippingincluded for US winners.Just go to omaze.com/donut22to enter for your chance to win.This iconic American roadster is modeledafter the iconic Shelby Cobra,designed by the legendCarol Shelby himself.You ever heard of him?It's got a 7.3 literFord Godzilla V8 engine,a five speed manual,and slithers down the roadwith a striking 650 horsepower.Not to mention, if you win thisyou get to pick whatever root and tuneand beautiful color you want.And to top off this happy sandwich,donations benefit thePeterson Automotive Museum.That's where I'm at right now.A nonprofit that preservesautomotive historyand its impact on the world.They work with underserved communities,boast educational programs andlead preservation activities.And your donation will help themcontinue to build automotive history.So head on over to omaze.com/donut22 todayto enter for your chance to win.Good luck.All right.Now, who do I have to talk toto get my catfish, Camaro, in here?Huh?Anybody around?You, ma'am, with the blazer.Nope?Nope?You're not... Nope?Okay, so I've been seeing alot of news articles latelyabout thieves hackinginto and stealing cars.And apparently, it's becomingmore and more common.So if these thieves can do it,is it something that I can figure out?Well, I did some researchand the first thing I came acrossis something called a replay attack.Apparently, this is theeasiest way to hack into a car.And it works like this.When you hit the lock orunlock button on your key fob,it sends a radio signal to your car,but that radio signal canalso be read by other devices.It's just out there in the etherjust waiting for someone to capture it.And if you can capture that signal,theoretically, you could play it backand unlock a car without the key.And it turns out devices thatdo this are super common.I found this one right here on Amazon.It's called a Software Defined Radio.So I'm gonna buy itand see if it'll actuallylet me steal a car.And if not, I'll justreturn it back to Amazon.No big deal.Okay, I've spent sometime with this softwareand I think I got it figured out.Now, the first thing I'm gonnado is open up a new sessionand I'm gonna set myfrequency at 315 megahertz.Now that's important becausethat is what every key fobin the United States transmits at.I'll do a start right here,and now this device right hereis looking for frequenciesin the 315 megahertz range.Now, what I can do isI can take my key fob,hit unlock, and this devicenow picks up that signal.And what I can do is Ican save that signal.And if you look at it,this is the actualsignal, that actual codethat's used to unlock my catfish, Camaro.What I can do is I canplay back that same codewithout this key fob and unlock my car.Well, let's go see if it works.Okay, so I'm outsidehere next to my catfish.We got the catfish door, it's locked.Can't get in,but I have the code heresaved on my computerand fingers crossed,all I need to do is just hit play.It'll play that code and open the door.Let's see.Here we go.Three, two, one.(beeping)(tense music)Meh.Okay.All right.(cameraman chuckling)(Jeremiah laughing)Stop.All rightSave it.Take two.Here we go.(beeping)Okay, what the...(car honking)Not doing it.Okay.Third time is a charm.Of course, it doesn't work off the jump.That would be too easy.Here we go.Three, two, one.(tense music)Did it work?Hey!There it goes.Heck, yeah.Okay, so that was pretty neatbut that's me breaking into my own car.What if I break into someone else's car?James is over there.He's in a meeting.He's a little preoccupied.Let's see if I can get into his stuff.(upbeat music)Don't need those.Hey, James.- Yeah?- I got something to show you.- You're gonna steal my car?(Jeremiah laughing)I know the video is about.I talked to...(Jeremiah laughing)- Go ahead.Go ahead, pull on that handle.Make sure it's locked.- It's locked.- Great.You know what I'm gonna do?I'm gonna unlock it.(beeping)(Jeremiah laughing)Yeah.All right, so what I didis I took your key foband I'm using this hack...Okay, but here's theproblem with replay attacks.This would never workin a real life situationand that's because 99% of carsuse something called rolling code.Every time you press the buttonto lock or unlock your car,the code changes.So the code I captured withthis device will no longer work.Sorry, bad guys.Guess you're just gonnahave to use a brick.And you can see here,this code is different from this code.Once that code gets played,I can no longer use it.See these, guys?These are different codes.They look different.See these two right here?That's like a fish,and this is like a pig.But there's an even bigger problem.I can break into the car,but I can't start it.You still need a key to do that.And I wanna steal a car,not just break into one.So replay attacks aren't gonna cut it.So I hopped back onto trustee old Google,and that's when I foundout about relay attacks.See, unlike old cavemancars that use a key,most modern cars use something calledpassive keyless entry system.When the car detects your nearby,it sends a wake up signal to the key.The key then sends an encryptedsignal back to the carand the two trade codes several times,confirming they are theright key for the right car.Once both are confirmed,your car will unlockand then start.And this is where relay attacks come in.You can trick a car intothinking it's key is closerthan it actually is byrelaying the signal.It's kind of like a wifi range extender.So you're inside the supermarketbuying flaming hot wonder bread.Yeah, it's a thing.It's pretty good.And it just so happens tobe a thief right next to youboosting the signal from yourkey, sending it to his buddywho's standing near your car outside.By the time you get outside,your car's been stolen.So all I got to do now is buyone of these relay devices.Unfortunately, I can't find one online,so I'm gonna have to do thething I said I would never dowhen they created the internet,and that is buy something on the dark web.(tense music)(upbeat music)Oh, sick.Best prices in USA from developer,high quality, testedon more than 200 cars,worldwide free shipping,keyless repeaters.Let's see how much these things cost.$15,000?Where does this guy has his freaking mind?We can't afford that.Let's see if I can get...Let's see if the guywill let me borrow one.So I messaged to seeif we could borrow onebut I didn't get a response.So if buying one isn't an option,what about building one?So I started doing some more research.And it turns outall I have to do is builda custom radio deviceand program itto receive an encrypted 125kilohertz wake up signalfrom the car,up sample, and retransmitthat at 2.5 gigahertzto the key.Receive the 350 megahertzin coded response,up-sample that two pointand a half gigahertz.Transmit it back to the car,which see the next coded of responsein the sequence before the 100millisecond timeout interval.Okay.Actually this was wayharder than I thought.And at this point I spent literal weekstrying to figure this out.And I haven't gotten anycloser to stealing a carthan when I started.I've been spending so many hours,just roadblock afterroadblock, pounding my head,but I can't just fail.I'm not a failure.I got to get to stealing a caror else this video is gonna suck.(tense music)Luckily for me, I foundthis really smart guy,smarter than me, his name is Sultan.So Sultan is a security researcherwho hacks into stuff toexpose vulnerabilities.And I actually came acrosshim in a news articlewhile I was researching for this video.He discovered a new kind of relay attackthat works on cars like Teslas.So he's flying out hereright now from Canadato show me how it's done.And of course, Murphy's Law,the day he got here, I got mega diarrhea.So Justin took over for me.Don't eat ceviche when it's hot.- Sultan is a Bluetooth hacking expert,and he discovered a huge vulnerabilityin keyless entry technology,specifically phone as a key.That's when you use your phoneto replace the key of your car.And this is something thata lot of car companiesare starting to utilize, including Tesla.The relay attack hasbeen around for a while.So how is this Bluetoothone different from that?- The basic concepts are the same,in that making you'remaking the two sides thinkthey're close to each other.But the difference is that with Bluetooth,it's switching frequencies all the time,and there is some more complexityin handling the frequencyhopping and direction switching.I mean, I just used freesoftware off-the-shelf hardware.I mean, you could make arelaying device for like $10.And you need two of those.So let's say 20 bucksmaking a basic versionsof attack is feasible.- How close does thedevice actually need to beto the phone key or the car?- I've experimentedwith this a little bit,and there was like 15 metersaway when I was testing.With some devices,if there weren't strict latency limits,they could even be onopposite sides of the planet.- Wow.That's impressive.Let's go see this thing in action.I'm excited.- Yes.- All right.So we are outside with this locked Tesla.Jimmy has a phone insideover 50 feet awaythat has the Bluetoothaccess to this vehicle.So just to prove to you that it's locked,the mirror is folded in,the car is asleep,security mode is on.So we're gonna go ahead andsee if this thing works.Are you guys ready?- Yeah.- Steal a damn Tesla!- Steal it! Steal it!(tense music)- All right.Activate the device.Here we go.(tense music)- Okay, press enter on your end.- All right.It's doing stuff on the screen.(beeping)(tense music)- Vice has been activated.- Uh-oh.(tense music)(people cheering)(Justin laughing)- But this is just step one.We got to drive away in this thing.- Did you guys take my Tesla?- Your Tesla is about to disappear, Jimmy.(tense music)(beeping)(people cheering)Fix it, Elon.(people clapping)(upbeat music)- This makes me happy.- Real Mechanic Stuff.Really excited about these shirts.I love the design.They're now available at donutmedia.com.Just get one if you wanna look cool.Don't worry, dude.I got you.Real Mechanic Stuff.- So that was absolutely nuts.We just stole this Tesla for $20.Guys, I am telling you, pleaseturn your Bluetooth off.It's a simple fix toalleviate this problem.Follow Donut at Donut Media.Follow me at Justin Freeman on Instagram.Like and subscribe.Thank you for watching.Y'all have a good one.