'Digital Key' Standard Uses Your Phone To Unlock Your Car

The Car Connectivity Consortium, a mix of major smartphone and automotive brands, has posted a Digital Key 1.0 standard that will let you download a virtual key that can unlock your vehicle, start the engine and even share access with other drivers. Engadget reports: Unsurprisingly, the technology focuses on security more than anything else. Your car manufacturer uses an existing trusted system to send the digital key to your phone, which uses close-range NFC to grant access to your ride. You can't just unlock your car from inside your home, then, but this would also force would-be thieves to be physically present with your phone when trying to unlock your car. Apple, LG and Samsung are among the phone brands in the group, while car brands including BMW, Hyundai and the Volkswagen group are also onboard. There's also talk of a version 2.0 spec that will promise more interoperability between cars and mobile devices in the first quarter of 2019.

That is surprising

[stoborrobots]

Unsurprisingly, the technology focuses on security more than anything else.

The way things are in this industry at the moment, that is incedibly surprising to me...

Re: That is surprising

[orlanz]

It's unsurprising that they used the word "security" in their product just like everyone else with an open AWS machine.

Whether it is secure or not is yet to be seen. At least you can't remotely drive the cars. Else someone will design a game where you drive a car onto a boat. And we get a few million cars stolen one night.

Re:That is surprising

[AmiMoJo]

Actually phones have increased security for things like mobile payments. Rather than just a contactless tap or easily observed PIN, you have a fingerprint unlock or arbitrarily long password.

Let's think about the security implications of unlocking/starting your car with your phone instead of the key. The key is probably just as vulnerable to theft since you have to have it on you, but has no authentication mechanism at all. No fingerprints, no passcodes, just having it unlocks and starts you car. So even if you disable authentication on your phone it's still no worse than the key.

Modern car keys use radio comms, so no loss there. Actually the wireless comms used for mobile payments are even more secure, being extremely short range and using a well tested standard algorithm instead of the manufacturer's own concoction. Never roll your own security if you can help it.

So all in all using your phone as a key seems like it can only be a net win. We have established that phones can securely keep secret tokens, as require for contactless payments.

Re:That is surprising

[houghi]

Free, I do not thing that word means that you think it means.

How about NO?

[grep+-v+'.*'+*]

Oh, look! Another attack surface. I'm sure THIS one will be completely secure. I can go to sleep with relief that someone without a physical or key fob will be able to access my car without my knowledge.

That if, if I manage to drink enough whisky. Maybe the self-driving car can pick up some for me. Hell, just add photo-recognition to it -- if it doesn't look like me or my wife trying to enter the car, just start it up and drive off. For bonus points get a picture of the perp. For EXTRA bonus points, make sure that same picture has the front tire of the car sitting on them. Or rear tire, I'm not picky, and there's already a camera back there anyway.

What was wrong

[stealth_finger]

What was wrong with, you know, a key?

Re:What was wrong

[GuB-42]

The biggest issue is that that's something you need to have on you. Not having a key is one less thing to carry around.
Second: a key is single factor authentication. Phones can be multi-factor (you need the phone and a password for instance). Keys are also difficult to revoke. If you lose the key, you need to physically change the lock in order to get a new bitting.
Another advantage of phone-based authentication is that you can transmit a token remotely to someone else if you want to give him access to you car. Basically the equivalent of putting car keys in someone's mailbox, but you get to keep your own key, and you don't need to actually go put it in the mailbox.

Saying "what's wrong with a key" is like saying "what's wrong with cash". There are many compelling arguments for cash over credit cards and the like, but cash isn't without issues.

Sigh

[ledow]

- Doesn't solve any existing problem.

- Creates new problems all of its very own.

Not least "your battery runs flat, but you need to open it to jump-start it" (so either all the doors open, or you can't get into it at all), "I locked my phone in the car", "Someone sniffed the NFC transaction from across the street- NFC is short-range-powered, but long-range-ordinary-radio-signal", "Every garage has a way to open that car if the system should fail and you can buy the kit to open any car for $20k", "My phone got a virus and now anyone can open my car", "Previous owners of the car can just walk up to it with their phone to unlock it", etc. etc. etc.

Re:Sigh

[Registered+Coward+v2]

- Creates new problems all of its very own.

Beyond your examples, it provides a way for phone manufacturers to know when you are operating a vehicle, under the assumption that the phone used to unlock and start is the drivers. Once they have that information, how will they use it? Turning off texting and other messaging apps would certainly help solve the problem of idiots who text and drive, but how else can that information be used? What other services will be disabled if the think you are driving? Siri already won't let me open the garage door when it thinks I am driving, even if I am in my own driveway.

Single Point of Failure

[mentil]

So now when my phone gets stolen/broken/lost/runs out of battery, I have no way to call for help OR to start my car. Bonus points if the phone charger is locked inside the car-that-won't-start. Extra bonus points if you don't carry any method of payment aside from mobile payment.

Re:Because...

[N1AK]

But keys are kept securely in pockets in all those same scenarios by voodoo magic?