The use of mobile phone-based automotive digital keys is considered to be the future of software-defined cars. However, experts in automotive cybersecurity are still evaluating the security of digital keys, despite the claims made by the industry.
The use of digital keys has become commonplace, despite concerns about their security. With the help of automotive digital keys, drivers can start their cars using their smartphones, smartwatches, and other connected devices.
This has made it possible to unlock and start a car with just a tap or a swipe. In addition, digital keys enable car owners to set restrictions, such as controlling the duration of usage, setting minimum and maximum speeds, and restricting access to specific parts of the vehicle.
However, experts are still investigating whether digital keys are as secure as the industry claims. According to the Car Connectivity Consortium, a majority of drivers who use mobile phones to access and start their vehicles find it convenient but still express concerns about security.
Jason Kent, a "hacker in residence" at Cequence Security, a cybersecurity firm in Sunnyvale, Calif., stated that "the keys are exploitable."
The Car Connectivity Consortium, which has over 200 members including most automakers, sets standards for digital key systems and keeps a watch on the issues related to it. The consortium is also looking to ensure that vehicle access using smart devices is future-proof.
The charter members of the consortium include Apple, BMW, Denso, Ford, General Motors, Google, Honda, Hyundai, Mercedes-Benz, NXP, Panasonic, Samsung, Thales, Xiaomi, and Volkswagen.
Automotive digital key technology primarily relies on near-field communication and Bluetooth low-energy technology.
Michael Leitner, senior director of smart car access at chipmaker NXP and vice president of communications at the Car Connectivity Consortium, stated that it is a mature technology and difficult to access the keys unless one is a government or an agency like the CIA.
Leitner also stated that the software and safeguards for automotive digital keys have advanced so much that it is challenging and time-consuming to hack the technology.
Ken Tindell, co-founder of Canis Automotive Labs, a U.K. automotive and aerospace security technology firm, praised the Car Connectivity Consortium's work and stated that the concepts for key management offer useful functionality and address several issues related to vehicle key security.
Automotive cybersecurity experts are currently investigating the security of digital keys used in cars. Recent car thefts in the UK have raised concerns about the effectiveness of keyless systems, which were hacked using relay attacks or "key cloning."
These incidents demonstrate that the industry may have underestimated the importance of vehicle security.
As a response to such attacks, automakers have introduced keys that go into sleep mode, while vehicle owners have resorted to alternative strategies such as storing keys in metal containers like coffee cans or breath mint tins.
The Kia Boy attacks, which involve removing the steering wheel column of key ignition in Hyundai and Kia models and using a USB to hot-wire them, serve as another example of the security issues faced by the automotive industry.
Kia and Hyundai, both affiliated companies, have released a software update to address a security issue in their vehicles. However, according to Automotive News, the solution provided by Hyundai Motor Group is not completely effective.
Attackers cannot be stopped solely by addressing this security vulnerability, according to Tindell.
To prevent theft, automakers like Toyota are employing robust encryption systems that provide extra security between their keys and the smart key electronic control unit, which is a dedicated chip that controls security and access in their vehicles and authenticates the key.
Tindell compared the hacking and countermeasures between car thieves, hackers, and automakers to an arms race. According to Tindell, car thieves are developing new attack methods, such as the controller area network injection.
This injection method allows attackers to bypass standard anti-theft equipment and access the vehicle's security system from the back end.
According to Tindell, car thieves and hackers need physical access to the internal network of a car, which is often easy to reach on the vehicle.
In a recent blog post, Tindell provided details of how car thieves in the UK stole a Toyota RAV4 from Ian Tabor, a cybersecurity researcher and automotive engineering consultant for Switzerland's EDAG Engineering Group.
The thieves gained access to the RAV4's key security's ECU for its engine and doors by breaking into the CAN near the headlights. Tindell compared the security of a car to a castle, with a fortified front entrance and an unguarded back door secured with a cheap padlock.
To prevent CAN injection attacks, automakers need to implement authentication and encryption for the digital messaging between a car's door and engine, along with a credential or token system, according to Tindell.
Kent predicts that in the future, phones might prompt users with a message such as "Are you trying to open the car?" This feature could enhance security while being user-friendly, although Kent acknowledges that this may be too extreme of a measure.
The concept of "unhackable" technology is a fallacy, as proven by recent car hacking incidents. Despite the physical breaches involved in the Tabor RAV4 and Kia Boys hacks, these attacks still posed a significant risk to the vehicles' owners.
With the increasing popularity of digital keys among drivers, the potential for car hacking may become even greater.
According to a well-known white hat hacker who uses the moniker Sick Codes, determined hackers will eventually find a way to access even the most guarded technology.
In his opinion, automotive digital keys are not particularly beneficial, as they serve mostly as a means for automakers to generate additional revenue streams through data collection.
Sick Codes suggests that in the coming years, a digital key could be hacked via a server or backend, illustrating the ongoing vulnerability of digital systems to hacking attempts.
Ultimately, there is no such thing as an "unhackable" technology, and as more devices become connected to the internet, the risk of hacking will only continue to grow.
"It looks good on paper. If it's done well, it might work, but as we know, little to never of anything (software) is done very well," Codes said. "I think it's a disaster waiting to happen.