We Stole a Tesla with this $20 Device

Apr 15, 2024

- This is an $80,000 Tesla. And today I'm going to steal it with

this

$20

device

. But to even get my hands on

this

, I had to take a journey into the dark underbelly of car hacking. (tense music) But today we're going to find out how easy it really is for thieves to hack your car. Come on. Thanks to Omaze for sponsoring today's video. My name is Jeremiah Burton and giving you the opportunity to win this car is my business. I'm here at the Peterson Museum in Los Angeles to give everyone the exciting news that the good people at Omaze are giving you a chance to win this Su Performance MKIII-R.

Tax and shipping are included for US winners. Simply go to omaze.com/donut22 to enter for a chance to win. This iconic American roadster is modeled after the iconic Shelby Cobra, designed by the legend Carol Shelby herself. Have you ever heard of him? It's powered by a 7.3-liter Ford Godzilla V8 engine, a five-speed manual transmission, and cruises down the road with an astonishing 650 horsepower. Not to mention, if you win, you get to choose the root, shade, and gorgeous color you want. And to top off this happy sandwich, donations benefit the Peterson Automotive Museum. That's where I am now.

More Interesting Facts About,

we stole a tesla with this 20 device...

A non-profit organization that preserves the history of the automobile and its impact on the world. They work with underserved communities, have educational programs and lead preservation activities. And your donation will help them continue building automotive history. So visit omaze.com/donut22 today to enter for your chance to win. Good luck. Alright. Now, who do I have to talk to to bring my catfish, Camaro, here? Hey? Is there anyone here? You, ma'am, with the jacket. No? No? You're not... Are you? Well, lately I've seen a lot of news articles about thieves hacking and stealing cars. And apparently, it's becoming more common.

So if these thieves can do it, is that something I can figure out? Well, I did some research and the first thing I found is something called a replay attack. Apparently, this is the easiest way to hack a car. And it works like this. When you press the lock or unlock button on your key fob, it sends a radio signal to your car, but other

device

s can also read that radio signal. It's out there in the ether, waiting for someone to capture it. And if you can capture that signal, in theory, you could play it and unlock a car without the key.

And it turns out that devices that do this are very common. I found this one right here on Amazon. It's called software defined radio. So I'll buy it and see if it really allows me to steal a car. And if not, I'll return it to Amazon. It is not a big thing. Well, I've spent some time with this software and I think I've figured it out. Now, the first thing I'm going to do is open a new session and I'm going to set my frequency to 315 megahertz. That's important because that's what every keychain in the United States conveys.

I'll start here and now this device looks for frequencies in the 315 megahertz range. Now what I can do is take my key fob, press unlock and this device now picks up that signal. And what I can do is save that signal. And if you look at it, this is the actual signal, that actual code that is used to unlock my catfish, Camaro. What I can do is play that same code without this key fob and unlock my car. Well, let's see if it works. Okay, so I'm out here with my catfish. We have the catfish door, it's locked.

I can't get in, but I have the code here saved on my computer and I'm crossing my fingers all I need to do is press play. It will play that code and open the door. We'll see. Here we go. Three, two, one. (bleep) (tense music) Meh. Well. Alright. (Cameraman laughs) (Jeremiah laughs) Stop. Alright, put it away. Take two. Here we go. (beep) Okay, what... (car honks) I don't. Well. The third time is the charm. Of course, it doesn't work from the beginning. That would be too easy. Here we go. Three, two, one. (tense music) Did it work?

Hey! There it goes. Hell yes. Well, that was pretty cool, but that's me breaking into my own car. What happens if I get into someone else's car? James is over there. He is in a meeting. He's a little worried. Let's see if I can get into his stuff. (upbeat music) I don't need them. Hello James. - Yeah? - I have something to show you. - Are you going to steal my car? (Jeremiah laughing) I know what the video is about. I spoke with... (Jeremías laughing) - Go ahead. Go ahead and pull that handle. Make sure it is locked. - Is closed. - Excellent.

Do you know what I'm going to do? I'm going to unlock it. (bleep) (Jeremiah laughing) Yeah. Okay, so what I did was I took your keychain and I'm using this trick... Okay, but here's the problem with repeat attacks. This would never work in a real life situation and that's because 99% of cars use something called rolling code. Every time you press the button to lock or unlock your car, the code changes. Then the code I captured with this device will no longer work. Sorry, bad guys. I guess you'll have to use a brick. And you can see here, this code is different from this code.

Once that code is reproduced, I can no longer use it. Do you see this, guys? These are different codes. They look different. See these two right here? That's like a fish and this is like a pig. But there is an even bigger problem. I can get into the car, but I can't start it. You still need a key to do that. And I want to steal a car, not just break into one. So repeat attacks won't be enough. So I went back to the old Google admin and that's when I discovered relay attacks. See, unlike old caveman cars that use a key, most modern cars use something called a passive keyless entry system.

When the car detects that you are nearby, it sends a wake-up signal to the key. The key then sends an encrypted signal to the car and the two business codes multiple times, confirming that they are the correct key for the correct car. Once both are confirmed, your car will unlock and then start. And this is where relief attacks come in. You can trick a car into thinking its key is closer than it is actually transmitting the signal. It is something like a Wi-Fi range extender. So you're inside the supermarket buying hot, flaming wonder bread. Yes, it's a thing.

It's pretty good. And it turns out there's a thief right next to you boosting your key signal and sending it to his friend who's standing near your car outside. When you leave, your car has been

stole

n. So all I have to do now is buy one of these streaming devices. Unfortunately, I can't find one online, so I'll have to do what I said I would never do when they created the Internet, and that is buy something on the dark web. (tense music) (upbeat music) Oh, sick. Best prices in USA from developer, high quality, tested on over 200 cars, free shipping worldwide, keyless repeaters.

Let's see how much these things cost. $15,000? Where is this guy's fucking mind? We can't afford that. Let's see if I can get... Let's see if the guy will let me borrow one. So I sent a message to see if we could borrow one but got no response. So if buying one isn't an option, what about building one? So I started doing some more research. And it turns out that all I have to do is build a custom radio device and program it to receive an encrypted 125 kilohertz activation signal from the car, take a sample, and retransmit it at 2.5 gigahertz to the key.

Receive the 350 megahertz in coded response, upsample those two point and a half gigahertz. Transmit it back to the car, which will see the next response code in the sequence before the 100 millisecond timeout interval. Well. This was actually a lot harder than I thought. And at this point I spent literally weeks trying to figure this out. And I haven't been any closer to stealing a car than when I started. I've spent so many hours, obstacle after obstacle, banging my head, but I can't just fail. I'm not a failure. I have to start stealing a car or this video will be shit. (tense music) Lucky for me, I found this really smart guy, smarter than me, his name is Sultan.

So Sultan is a security researcher who hacks things to expose vulnerabilities. And I actually came across it in a news article while doing research for this video. He discovered a new type of relay attack that works on cars like Teslas. So now he himself is flying here from Canada to show me how it's done. And of course, Murphy's Law, the day it got here, I had mega diarrhea. Then Justin took over for me. Don't eat ceviche when it's hot. - Sultan is a Bluetooth hacking expert and discovered a huge vulnerability in keyless entry technology, specifically the phone as a key.

That's when you use your phone to replace your car key. And this is something that many car companies are starting to use, including Tesla. The relief attack has been around for a while. So how is this Bluetooth different from that one? - The basics are the same, in the sense that you make the two parties think they are close to each other. But the difference is that with Bluetooth, it changes frequency all the time and there is a little more complexity in handling the frequency hopping and changing direction. I mean, I only used free software and commercially available hardware.

I mean, you could make a relay device for about 10 bucks. And you need two of those. So let's say $20 is feasible to do a basic version of the attack. - How far should the device really be from the phone or car key? - I experimented a little with this and there was like 15 meters away when I was testing. With some devices, if there weren't strict latency limits, they could even be on opposite sides of the planet. - Wow. That is amazing. Let's see this in action. I'm excited. - Yes that's fine. So we're outside with this closed Tesla.

Jimmy has a phone inside over 50 feet away that has Bluetooth access to this vehicle. Just to show you that it's locked, the mirror is folded, the car is asleep, and security mode is on. So let's go ahead and see if this works. Are you guys ready? - Yeah. - Steal a damn Tesla! - Steal it! Steal it! (tense music) - Okay. Activate the device. Here we go. (tense music) - Okay, press Enter on your side. - Alright. He's doing things on the screen. (beep) (tense music) - The vice has been activated. - Uh oh. (tense music) (people applauding) (Justin laughing) - But this is just the first step.

We have to go in this thing. - Did they take my Tesla? - Your Tesla is about to disappear, Jimmy. (tense music) (beeps) (people applauding) Fix it, Elon. (people clapping) (upbeat music) - This makes me happy. - Real mechanical stuff. Really excited about these shirts. I love the design. They are now available at donutmedia.com. Just get one if you want to look cool. Do not worry friend. I understand you. Real mechanical stuff. - So that was crazy. We just