A changing industry
Today, a shift towards keyless entry may seem as though this close association is fading away. The digitalisation of cryptography has resulted in keys becoming more about digital security systems, and less about physical units. As with any type of security, lock and key systems have always had to contend with lockpickers, and car security is no different.
What are the benefits of digital keys?
As manufacturers enjoy the benefits of innovative digital keys, our interactions with car keys are changing. Remote ‘zappers’ have been around for a while, but the adoption of true keyless entry has been difficult, creating new opportunities to improve security and convenience, but also more challenges which can be exploited by ‘digital lockpickers’.
Using a digital key has many advantages over a physical one. From an administration perspective, a digital key can be altered or disabled at any time. You don’t have to worry about a key getting lost and you can imbue them with a limited lifespan when issued.
Think about hotel keys as a good example of this – how many hotels still issue anything other than something that looks like a plain credit card? They’re easy to switch around and cheap to replace.
Other innovations include a limited use, a digital only key that a person can take with them while undertaking sporting activities. The key itself doesn’t require power and can therefore be dunked in water without fear of damage if the holder accidentally leaves it in their swimming shorts!
When is a key not a key?
The innovation we’ve been taking an interest in recently is the shift to allow car owners to use their mobile phone as a key. Or, in the case of some models of modern vehicles such as Tesla’s, to insist upon it. Smartphone manufacturers and operating system developers including Apple, Android and Google, have developed new apps which create a digital copy of a car’s key which is stored directly on the phone. It can be used to lock, unlock and start the vehicle it is programmed to, much like a traditional key fob.
As part of our ongoing work with the automotive industry, and innovation in general, we routinely conduct our own research into emerging technologies and how they impact security. Regardless of how new and shiny a technology is, good security principles never go out of fashion. Our research into mobile phone-based keys has yielded quite positive results, with a few caveats.
The technology used to transmit key data (typically NFC or Near Field Contact) between the phone and the car can bypass some of the inherent risks of using fob based keyless entry by simply requiring the key device to be in much closer proximity to the vehicle.
NFC requires the two units to be within a few centimetres of each other, making the attacks made on keyless entry (where attackers relay the signal over a much longer distance, assuming they can get close enough to the key fob) much more unlikely.
It can also allow flexibility of use (much like the aforementioned hotel key) in that a short-term key can be issued to a friend or someone simply borrowing the car. They don’t even have to be in proximity to perform a handover. It’s the ultimate tool in easy car-sharing! Apple has even made it possible for an iPhone to temporarily power up its NFC controller by using reserve battery stores to use the digital key even when the device’s main battery has been drained.
As well as flexibility, this can lead to better practice, as people no longer have to post keys or hide them under a rock. The phone-based key doesn’t even have to be returned, it can just be disabled or left to expire as originally set.
Locking in security
Digital car keys have the potential to improve security and flexibility greatly for car owners (and their friends!), but vigilance is required to ensure that the right measures are in place. The automotive industry is a high-ticket sector that has billions of pounds worth of hardware in circulation at all times, so as it increasingly relies on digital technology, hackers will continue to attempt to identify opportunities to cause disruption.
On the assumption that the cryptographic and transmission security between the phone and car are sufficient, then the focus will shift to two other areas; the phone itself and the supporting infrastructure.
For the car manufacturer, relying on the phone to provide adequate security can be quite tricky, as it is completely out of their hands. A serious flaw in the phone’s operating system could wreak havoc within any application that relies on it, from digital car keys to banking apps. On the plus side, a security patch is typically only a download away. This is much easier to fix than replacing everyone’s car keys when a new flaw in keyless entry is discovered.
From the hacker’s perspective, the supporting infrastructure would be a tough nut to crack but could also yield the greatest results, as they would have access to a large number of keys, rather than just a single one. The user is also reliant on the manufacturer to keep their keys safe, unlike when they have a physical key which is theirs to protect.
Things get even more complicated now that common platforms are emerging, allowing key sharing and management across a range of manufacturers. The entire infrastructure is becoming increasingly convoluted, which is something that we, as security experts attempt to avoid.
In such a high value industry, it can seem that cyber-attacks are almost inevitable. With the correct investment in expert advice and partnerships, manufacturers can move quickly and decisively to protect their products and their customers from the modern carjacker.
As experts in Information Assurance (IA) and cyber resilience, we explore, secure and assure complex systems that combine digital technology and people, helping to ensure integrity, availability and confidentiality. By combining the skills of security professionals, human scientists and technologists, risk can be assessed and managed to ensure that people and data security can be built into new technology systems from the outset.
For more information on how we can help you, get in touch.