It was reported last week that the Car Connectivity Consortium (CCC) announced a new Digital Key Release 1.0 specification’s publication. The spec is designed so that drivers can download a digital vehicle key onto their smartphones.
Travis Biehn, Technical Strategist at Synopsys:
“The CCC has ambitious goals and is early in the process of thinking about how to practically achieve them. Mobile devices are, in many ways, more capable of providing secure access to a vehicle than the simple embedded platforms found in car keys today.
The CCC will likely run into challenges, at first blush, in protecting against relay-based attacks for interaction-less proximity unlocking. These attacks are notoriously difficult to resolve in a satisfying manner, and mostly depend on measuring the time it takes for a vehicle-generated challenge to receive a response.
Further, the CCC expects to leverage Trusted Execution and Secure Enclave functionality on devices. These enclaves are generally thought to be robust, but as more critical functionality moves to these components, attackers and the security industry are just starting to examine and explore them. Common attacks involve bypassing these secure environments. The weak links here are between the User Interface components and the Trusted Execution components. TEE components are like a brain in a jar, it’s hard for them to distinguish between inputs from a modified or spoofed mobile app or from a malicious app running on the device.
Finally, the CCC will introduce backend components operated by OEMs. The link between an OEM and a vehicle to support remote services will be a significant area of weakness. An attacker with access to an OEM system might be in a position to bypass all security controls and access vehicles as desired. The CCC can make strides in eliminating these threats by relying on end-to-end cryptographic attestation between devices and individual vehicles, but this type of secure design introduces its own set of practical challenges.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.