Digital car keys raise security concerns

Drivers can store automotive digital keys on their smartphones, smartwatches and other connected devices, allowing them to unlock and start their cars with just a tap or a swipe. Digital keys also let owners control the amount of time a user can drive a car, set minimum and maximum speeds, and limit access to certain parts of the vehicle.

Most drivers who use mobile phones to access and start their vehicles say they like the convenience of the apps but still worry about security, according to the Car Connectivity Consortium.

"The keys are exploitable," said Jason Kent, a "hacker in residence" at Cequence Security, a cybersecurity firm in Sunnyvale, Calif.

The consortium, which watches the issues and sets standards for digital key systems, has 200 members and includes most automakers. It is looking to "future-proof vehicle access using smart devices."

The consortium's charter members are Apple, BMW, Denso, Ford, General Motors, Google, Honda, Hyundai, Mercedes-Benz, NXP, Panasonic, Samsung, Thales, Xiaomi and Volkswagen.

Most automotive digital key technology relies on near-field communication and Bluetooth low-energy technology.

"It's a very mature technology, so there is no way to get to the keys unless you are a government or an agency like the CIA," said Michael Leitner, senior director of smart car access at chipmaker NXP and vice president of communications at the Car Connectivity Consortium.

The software and safeguards for automotive digital keys have advanced so much that it's a very time-intensive and arduous effort to hack the technology, Leitner said.

"I think the Car Connectivity Consortium has produced a good piece of work: the concepts for key management offer some really useful functionality, and address a number of issues around vehicle key security," said Ken Tindell, co-founder of Canis Automotive Labs, a U.K. automotive and aerospace security technology firm.

However, automotive cybersecurity experts are still determining if digital keys are as secure as the industry claims.

Kent said a rash of recent car thefts in the U.K. targeting new cars with keyless systems that were hacked using relay attacks or "key cloning" demonstrates how the industry underestimates vehicle security.

Automakers have responded to key cloning attacks with keys that go into sleep mode. Vehicle owners have attempted a different strategy, such as keeping keys in a metal container like coffee cans or breath mint tins.

The Kia Boy attacks, which involve thieves popping off the steering wheel column of key ignition in Hyundai and Kia models and using a USB to hot-wire them, offer another example.

Kia and Hyundai — sibling companies — issued a software update to fix the problem, but Automotive News reported Hyundai Motor Group's solution is not working perfectly.

"It's not feasible or realistic to attack this key security head-on," Tindell said.

Car thieves are moving on from key cloning because automakers such as Toyota are placing robust encryption systems between its keys and the smart key electronic control unit, a dedicated chip with software or firmware that controls security and access in its vehicles to authenticate the key, Tindell said.

He likened the hacks and countermeasures between car thieves, hackers and automakers to an arms race.

Car thieves, for example, are developing an attack method called a controller area network injection, Tindell said. The CAN injection circumvents standard antitheft equipment by going around the back.

Car thieves and hackers must physically break into the internal network of a car, which they can do if it is somewhere easy to reach on the vehicle, Tindell said.

In a blog post, Tindell unwrapped how car thieves in the U.K. stole a Toyota RAV4 from Ian Tabor, a cybersecurity researcher and automotive engineering consultant for Switzerland's EDAG Engineering Group.

Thieves broke into the RAV4's CAN near the headlights to access its key security's ECU for its engine and doors.

"In some ways, it's like a castle with a drawbridge and portcullis and a barbican to secure the front entrance, and an unguarded back door with a cheap padlock," Tindell said.

Automakers need to have authentication and encryption for the digital messaging between a car's door and engine to defeat these CAN injection attacks, Tindell said. They need some sort of credential or token system.

"Having your phone say, 'Are you trying to open the car' is probably too much, but it's leaning toward the direction I think it will go," Kent said.

Because the cars were physically broken into, the CAN attack on Tabor's RAV4 and the Kia Boys hacks created extra risk for the perpetrators. Still, car hacking could become easier as more drivers adopt digital keys.

Determined hackers will eventually find a direct or indirect way into guarded technology, said a white hat hacker well-known in security circles who goes by the name of Sick Codes.
"Nothing is unhackable," he told Automotive News.

In the coming years, a digital key could be hacked from the backend or a server, Codes said.

Besides not requiring drivers to put a key in an ignition, Codes doesn't think there's much of a benefit to automotive digital keys. He said they are little more than a data play by automakers to create additional revenue streams.

"It looks good on paper. If it's done well, it might work, but as we know, little to never of anything (software) is done very well," Codes said. "I think it's a disaster waiting to happen."