Virtual car keys proving ground for IoT security, with first spec release


The first open digital key specification for vehicles will provide a testing ground for IoT security in applications involving not just smartphones but any device with embedded trusted elements. It comes at a time when vehicle theft is on the rise again after over two decades of decline, as thieves finally get to grips with electronic locking and immobilization technology. Automobile makers therefore need to convince consumers that, far from increasing exposure to theft, virtual car keys will actually raise the technical protective bar once again.

Aware of this, the Car Connectivity Consortium (CCC) stressed security when announcing publication of its Digital Key Release 1.0 specification, which allows drivers to download the key onto their smart devices and use it for any vehicle, as well as transmit it to others for sharing. The CCC was set up to develop smartphone-centric applications for connected cars around infotainment, navigation and security, with charter members including Apple, Samsung, LG and Qualcomm as well as Audi, BMW and General Motors.

Its first major standard was MirrorLink, initially developed for infotainment (IVI) by enabling drivers to mirror their smartphone interface on to their vehicle’s touchscreen with support for all the main mobile OS platforms. MirrorLink is also a core component of Digital Key Release 1.0 since it enables device interoperability through support for well-established protocols including Real-Time Protocol (RTP) for audio, Universal Plug and Play (UPnP) for configuration and crucially Virtual Network Computing (VNC). The latter is the baseline protocol to display the user interface of the smartphone applications on the infotainment system screens and to communicate data from the target system, in this case the vehicle, back to the mobile device. Such return communication is required for mutual authentication.

The virtual car key, typically residing in smartphones, has become an important battlefront between automakers, as the first radical new service associated with mobile connectivity. It offers huge convenience and facility to consumers who no longer have to manage physical keys that have become costly to replace in the electronic era. It opens the door to new applications such as remote transmission to friends when required and also access to hire cars without the rental company representative having to be physically present to hand over the key. Furthermore, virtual keys are part of the drive towards personalized digital services associated with remote access to vehicles and integration of other IoT components.

As a result, we have already seen some proprietary virtual key offerings, with Volvo first of the major makers to introduce the facility in 2017 with support for sharing although still allowing the option of a physical key, which a lot of its customers have taken. The smartphone can be used to unlock and start the car as well as operate some autonomous features.

Other car makers have piled in, and initially it looked like their competitive eagerness was overwhelming their concern over security. But the recent rise in car theft has pushed security back up the agenda. Vehicle thefts had been falling for 25 years in the US after peaking at 1,661,738 in 1991, ending that period down 46% at 765,484 in 2015, according to the FBI. But they rose by 3.8% in 2015 and then 7.4% in 2016, with some sources indicating a steeper climb in 2017. A similar pattern of recent rise after a long decline has been reported in other regions including most European countries.

During the long decline car thieves changed from breaking into cars to stealing keys from homes or places such as gymnasium lockers where they were left. That is still a common method but most recently thieves have also been improving at three types of technical attack. One is On-Board-Diagnostic (OBD) port theft, where the thief gains entry to the vehicle, communicating by equipment plugged into the OBD port.

Secondly is signal jamming in places where cars are parked, through emission of a wireless signal that prevents the lock command from the driver’s remote-control key operating. The car stays unlocked so this attack is more commonly used just to steal contents from the vehicle. Thirdly is the Relay Station Attack (RSA) using a signal transmitter and receiver. The signal from the car key is relayed to a receiver near the car. The car’s system then acts as if the key were present and allows the car to be both unlocked and started.

This third method is equally applicable to virtual car keys, which do not elevate the threat further. But virtual keys do increase the exposure – or threat surface as security experts like to call it – and makes it critical that the security bar has been raised. The CCC insists that it has, although this is as much down to the device makers as its own efforts. The core component is the Trusted Execution Environment (TEE), comprising isolated hardware running a separate system from the principle device OS such as Android or iOS. This separation confers a secure app ecosystem because apps running on this separate OS cannot be reached by those executed on the primary OS. This capability is ensured at the silicon level with unique credentials embedded in the device at manufacture, allowing secure authentication.

The TEE in turn underpins two vital security functions, not just for virtual car keys but many other IoT services. The first is secure booting of the device via a path starting within the TEE and then moving out into the standard OS checking that all apps loaded have been signed by an approved author. This is designed to block rogue apps from entering the system. Then a second line of defense called posture checking is designed to alert a management system when a breach has occurred, such as when a rogue app has somehow got through. This is deployed as a protocol inside the TEE that repeatedly confirms or denies that the device is still safe and has not been compromised. This process is sometimes called attestation since it can alert IT managers when a user’s smartphone has been hacked.

These features enabled by the TEE allow a Trusted Service Manager (TSM) to be deployed as part of the CCC specification for virtual car keys. The TSM is a core feature of the near field communication (NCC) ecosystem used by the CCC, operating at distances up to just 4cms (1.6 inches). This distance limit has enhanced the security of contactless payments by requiring the smart card to be close to the reader and the same is expected will be the case for virtual car keys. The TSM then acts as a neutral broker, setting up and managing the business agreements and technical connections between in this case mobile network operators and vehicle manufacturers. The TSM enables service providers to distribute and manage their contactless applications remotely by allowing relevant parties such as car makers access to the secure element in their NFC-enabled handsets.

The CCC Release 1.0 specification is just the first step however with the CCC suggesting that its follow up, Digital Key Release 2.0, will have an even greater impact on the auto industry when it comes out perhaps in 2019. This is because that will address the challenges of scaling up to very large deployments as virtual car keys catch on. The CCC believes the security problems have already been addressed in the first specification as they have to be. After all the supposed convenience of virtual keys will be lost if car owners have to revert to additional measures such as steering locks and separate engine immobilizers that they thought had been confined to the dustbin of automobile history.