Your Car Has Been Watching You This Whole Time.

Added: 2026-05-25

[00:00:00]The CAN bus or controller area network is the central nervous system of your vehicle controlling everything from your brakes to your steering wheel. This internal network sits practically unprotected, which means police can now stop your car while you're driving by simply injecting shutdown codes into the system.

[00:00:20]They are not the only ones who know how to do this. This is the story of how a protocol designed in 1983 became the backbone of every modern automobile. How thieves learn to exploit it with $10 worth of components hidden inside a Bluetooth speaker. And how law enforcement turns your car into the most powerful surveillance device you never knew you owned.

[00:00:45]It starts in a lab in Stuttgart, Germany. In 1983, an engineer named Uwe Kiencke at Robert Bosch GmbH began developing a new way for the electronic components inside a car to talk to each other. At the time, vehicles were becoming increasingly computerized and every new feature meant more wiring, more weight, more complexity. [music] Kiencke and his team, including Siegfried Dais and Martin Litschel, envisioned a single shared communication line, a digital nervous system that would let every electronic module in the car exchange messages on one network.

[00:01:24]In February 1986, they introduced their creation at the Society of Automotive Engineers Congress in Detroit. They called it the controller area network or CAN bus. Intel released the first CAN controller chip in 1987.

[00:01:40]Mercedes-Benz put it into production S-class vehicles by 1991. The ISO published a formal standard in 1993 and by 1996, every car and light truck sold in the United States was required to use OBD-II diagnostics. By 2008, CAN became mandatory for all new American vehicles under NHTSA regulations.

[00:02:03]Today, a modern automobile may have as many as 70 electronic control units connected through this network. Your engine, transmission, anti-lock brakes, power steering, airbags, cruise control, windows, mirrors, infotainment system, and if you drive a hybrid or electric vehicle, your entire battery management system all communicate through CAN bus.

[00:02:28]The newer CAN FD protocol offers faster data rates, but maintains the same fundamental security vulnerabilities.

[00:02:37]Here is the fundamental problem.

[00:02:39]The protocol was designed in the 1980s before anyone imagined cars would connect to the internet. CAN messages carry no authentication, no encryption, and no verification that a message actually came from the module it claims to come from. Any device connected to the network can send any command to any system, which means if you can access the wires, you can control the car.

[00:03:06]Here's what I want you to sit with for a second. Before I keep going, if your car can be controlled by anyone who reaches the wires behind your headlight, does it really belong to you?

[00:03:17]Or are you just the person paying the insurance on a machine that answers to whoever gets there first? Drop it in the comments.

[00:03:25]And if you want to know what comes next, hit subscribe and turn on the notification bell because the next video pulls on a thread most drivers have never thought twice about. Every time you breeze through a toll booth, your transponder is broadcasting a signal.

[00:03:42]The internet says those overhead gantries can shut your engine down.

[00:03:46]The truth is stranger.

[00:03:49]Your easy pass cannot stop your car, but something on those same highways already can. And a privacy group proved it by driving a cow-shaped device through Manhattan that moved every time someone read their tag. That video drops next week.

[00:04:07]In July 2015, two of the most technically proficient hackers on Earth proved exactly how dangerous this could be.

[00:04:16]Charlie Miller, a former National Security Agency hacker, and Chris Valasek, a security researcher who would go on to become director of cybersecurity at Cruise, remotely hijacked a Jeep Cherokee while it was driving on a highway outside St. Louis.

[00:04:33]They accessed the vehicle through its cellular-connected infotainment system, pivoted to the CAN bus, and took control of the steering, the brakes, and the transmission.

[00:04:44]The driver, a journalist who had volunteered for the demonstration, found himself sitting helplessly as his vehicle decelerated on a busy interstate.

[00:04:54]Fiat Chrysler recalled 1.4 million vehicles.

[00:04:58]>> [music] >> During an earlier test on a country road, the hack actually sent the Jeep into a muddy ditch.

[00:05:05]A crop duster pilot spotted the disabled vehicle and called 911, and a police officer showed up to investigate.

[00:05:13]Miller had been running the attack from the back seat. Valasek later said something chilling about the state of automotive security.

[00:05:21]The biggest obstacle to hacking a vehicle was not any technical barrier in the hardware or software, but simply that researchers were unfamiliar with how these systems worked. As he put it, this is like hacking web browsers 10 years ago, where people are just learning about how they work and what you can do with them.

[00:05:41]The criminals learned fast.

[00:05:44]In 2023, Ian Tabor, who runs the UK chapter of car hacking village, had his Toyota RAV4 stolen from outside his home near London. Days earlier, he had found damage to his car, evidence of an unsuccessful attempt. Working with Dr. Ken Tindell, chief technology officer of Canis Automotive Labs, Tabor investigated and uncovered a technique now known as a CAN injection attack.

[00:06:11]The vulnerability was assigned an official CVE identifier, CVE-2023-29389.

[00:06:21]The method is disturbingly simple.

[00:06:23]Thieves pop open a headlight assembly, access the CAN bus wiring behind it, and connect a small device that floods the network with fake messages.

[00:06:33]>> [music] >> These messages tell the car's security system that a valid key is present. The engine starts, and the thief drives away.

[00:06:41]This differs from older relay attacks, which amplify legitimate key fob signals, because CAN injection bypasses the key entirely.

[00:06:50]The device can sell for as much as $5,400 on dark web marketplaces, but it is built from roughly $10 in components.

[00:07:00]The real value lies in the programming.

[00:07:03]In a detail that borders on dark comedy, the Toyota version of this device hides inside a JBL Bluetooth speaker case, giving thieves plausible deniability if stopped by police.

[00:07:15]Estimates suggest more than 120,000 Toyota and Lexus vehicles sold in the UK since 2012 may be vulnerable. In Canada, in 2024, the Toyota RAV4 was stolen more than 2,000 times, while the Lexus RX series recorded over 1,000 thefts nationwide. Based on intelligence from 2024 and 2025, CAN injection attacks are projected to become the number one vehicle theft method by 2026.

[00:07:48]But here is where the story takes its most [music] unsettling turn.

[00:07:52]The same vulnerability that lets thieves steal your car also lets law enforcement read your life.

[00:07:59]Berla Corporation launched a vehicle forensics tool in 2013 that could [music] extract data from 80 car models.

[00:08:06]Today, that number exceeds 14,000.

[00:08:10]Berla's technology allows investigators to pull text messages, GPS location history, emails, call logs, photographs, videos, contact lists, social media feeds, and data as granular as when a car door opens and closes.

[00:08:28]In a murder case in Kalamazoo County, Michigan, detectives spent more than 2 years investigating the death of Ronald French without making an arrest.

[00:08:37]Then they discovered digital vehicle forensics.

[00:08:41]They returned to French's 2016 Chevy Silverado and extracted timestamped recordings from the hands-free system.

[00:08:49]Someone had been playing Eminem through the truck's speakers at the time of the murder, and the voice was identified by family members as belonging to Joshua Wessel, a man who used to work on cars with French.

[00:09:03]US Customs and Border Protection paid more than $450,000 for five Berla forensic kits, while a sheriff's department in San Antonio acquired the technology for just $15,000.

[00:09:16]Berla's chief executive officer, Ben Lemire, has stated publicly that his company assisted in virtually every major terrorism investigation in recent years, including the Paris bombings, the Chattanooga shooting, and San Bernardino.

[00:09:32]99% of registered vehicles in the United States now carry event data recorders, devices embedded beneath the carpeting that continuously measure speed, braking, acceleration, steering input, and crash forces. 90% of new vehicles sold are connected, constantly registering with cell towers and transmitting data even when parked, even when the owner has no active subscription to any connected service.

[00:09:59]New UNECE regulations R155 and R156 require cybersecurity management systems for vehicles sold in Europe starting 2024.

[00:10:12]Though most security frameworks like AUTOSAR SecOC are still in development, cars in the United States generate 25 GB of data per hour. The average American spends 728 hours per year in a vehicle, which means your car knows where you went, how fast you drove, who you called, what you texted, and what music you played while doing it. The legal protections are thinner than you might think. Only five automakers, GM, Ford, Honda, Stellantis, and Tesla, require a warrant before handing location data to law enforcement. Only Tesla notifies owners about government demands. The automobile exception to the Fourth Amendment, the same legal doctrine that lets police search your trunk for drugs without a warrant, may well extend to the computer systems inside your car.

[00:11:02]The CAN bus system was an engineering marvel of the 1980s, a protocol so elegant and efficient that it now operates in boats, farm equipment, aircraft, and even spacecraft. There is a CAN bus orbiting Mars right now. But in your driveway, it remains a 40-year-old network with no locks on the doors, serving simultaneously as a tool for thieves who want your car and a window for anyone who wants your data.

[00:11:31]The only question left is who gets there first.

[00:11:35]If you want to know how the police can now stop your car while you drive and how a $10 part can silently destroy your engine, those videos are on your screen right now. Subscribe and thanks for watching.