Smartphones as Keys: Are They Secure?
A couple of months ago, Volvo unveiled their new keyless entry system at MWC 2016. Like many other manufacturers, Volvo is looking at taking advantage of the smartphone technology that’s already in everyone’s pocket.
We love seeing new technology — especially mobile technology. As always, our caveat is that cutting edge technology has to include the best security.
While the keyless entry offers plenty of conveniences and a definite cool factor, we wonder about its security.
Volvo is using Bluetooth technology. That means it’s available on nearly every device. However, there is a potential downside in that the effective range for Bluetooth can be up to 10m (30ft). If the car owner is nearby, such as maybe in the house with the car in the driveway, what prevents the car from being unlocked?
There is also the possibility for a thief to use a Bluetooth repeater to extend this range and make it even easier to gain access to the car without the owner’s knowledge. Even if range detection technology were used to control how close the owner has to be in relation to the car, a repeater could bypass the technology.
What Security Measures are in Place?
According to IBTimes UK, Volvo has stated they have added “extra layers of security” to protect owners against thieves with this system, without sharing details.
Most “smartphone-as-a-key” solutions rely on some form of symmetric key based cryptography. This is better than relying only on Bluetooth pairing, but it has definite limitations.
With most symmetric key crypto solutions, the car’s “key” is stored on a central server managed by the manufacturer and then downloaded to the user’s phone when they register using an application. This provides a very attractive target for hackers. If they can compromise the services, they can access a significant number of cars.
If the phone is lost or stolen or the “key” itself is compromised, can it be changed without an expensive service call, which may require replacing one or more parts of the vehicle?
Can Keys be Shared Securely?
Volvo has announced that their solution supports key sharing with time limits. How keys sharing be managed securely?
A common solution is to send the symmetric key to the other party. This approach would make it possible for a malicious app, on the receiving phone, to store the key and ignore the time limits.
While there are schemes that would enable sharing without giving the other person the owner’s symmetric key, they are vulnerable to impersonation attacks if the “sharing permission” is ever compromised.
The Better Solution: Opening Doors with NFC and ECC
Opening doors using Near Field Communications (NFC) with Elliptic Curve Cryptography (ECC) eliminates the limitations. With ECC, secure authentication prevents any unauthorized access to the lock.
- With an operating range of less than 5cm, using NFC on a smartphone requires close proximity to the vehicle to unlock the doors.
- The owner’s “key” is never stored anywhere except for the owner’s smartphone.
- Even if the sharing permission is compromised, only the intended party can use it.
- Key sharing can take place even without data connectivity.
The security technology used by TrustPoint is the same standards-based technology used by financial institutions and credit card companies. The US Department of Transport (USDOT), US National Institute of Standards and Technology (NIST), European Telecommunications Standards Institute (ETSI) and Institute of Electrical and Electronics Engineers (IEEE) have all endorsed this technology.
Contact us today to learn more about how TrustPoint delivers increased security and convenience utilizing NFC with ECC.