Securing digital car keys: Managing risk and authentication in connected cars

Credit: Duh84bk |

Few Australian families do not own a car. In fact, the 2016 Census revealed that more than 90 per cent of Australian households have access to a car, and, according to the motor vehicle census, Australia’s car population is growing faster than its human population.

With the rise in real estate prices and population growth contributing to the expansion of our cities, and the development of adequate public transport links slow to catch up, many of us are spending a lot of time on the road. The 2016 Census found that nearly seven in ten Australians (69%) drive themselves to work, with a further 5 percent travelling as passengers.

As we become more connected, the digital features offered by the vehicles we spend so much time in are becoming more important to us. Features including satellite navigation, Bluetooth mobile connectivity and multimedia streaming are increasingly offered as standard, propelling the global connected car market to more than $219 billion by 2025.

Until about ten years ago, the biggest car-related risk (aside from road safety) for drivers was their physical car keys being stolen. But with digital transformation moving faster than the average car thief, digital keys will be far more sought after by cybercriminals.

All connected vehicles can be hacked

Let’s assume the car manufacturer has a central system that gets continuous feeds from all its vehicles, such as geolocation data. This data may be stored in the cloud or on a server at the manufacturer’s premises. In order to connect to this system, your car will have to authenticate itself in some way, which creates a new trust issue. How does the manufacturer trust – if your car is talking to its central system – that it is in fact your car? Or how do you trust – if the central system is talking to your car – that it is in fact the manufacturer’s central system?

Credit: Richair |

This connectivity is a known vulnerability to hackers, who will try to compromise it provided they have two things. First, an access route into the system, such as an open WiFi network. This has been a known technique since 2015 when hackers remotely compromised a Jeep Cherokee and paralysed it on the road. Second, they will need your digital keys to get in. These are credentials or permissions that authenticate access.

This means that if your car is connected to an open communication source, and there’s a weak or compromised password, attackers can get the keys to access to your vehicle.

The driverless threat

You’re probably wondering: if an attacker does gain access, what could they potentially do? In 2015 and 2016, the hackers that compromised the Jeep Cherokee demonstrated the ability to hack into electronic control units, such as multimedia and temperature systems. They were even able to disable the brakes at low speeds, and tamper with the steering and cruise control.

Inevitably, the threat will become greater as technology advances – particularly when driverless cars hit the road in 2021. Our connected cars will have far superior and complex capabilities and the biggest danger will be an attacker taking control of the vehicle.

Credit: Sensay |

An industry-wide effort is underway to ensure that cybersecurity is fully integrated into the development of driverless vehicles. However, were an attacker to compromise that connection, they could impersonate communications and send subversive commands to the car. Alternatively, they could tell the central system that the car is in a particular location when it’s actually somewhere entirely different, ultimately risking a forced crash.

Attackers are always watching and learning

While gaining access may be bread and butter, attackers will have to teach themselves how to configure or administrate driverless cars. However, this won’t take too long. There are many examples of attackers lurking inside new infrastructure until they have the knowledge to take control and cause considerable damage.

In the cases of the Swift Bangladesh Central Bank heist and the Ukranian power network hacks, for example, attackers accessed critical assets then watched and learned until they knew how to make a transaction or turn off the power. We can expect to see a similar approach in attempts to compromise driverless cars, with attackers potentially holding the keys for a long time before they take the wheel.

Read more: Microsoft goes after TomTom -- and Linux

Of course, gaining full control of a connected car will not be the only motivation for cybercriminals. They will also see value in tracking the journeys of high-profile targets. Attackers could surreptitiously collect travel data, while also deploying advanced social engineering techniques, to build a comprehensive picture of the target’s habits and whereabouts. The most significant outcome in this scenario could be a new type of online blackmail.

As car connectivity continues to become more sophisticated, there is a reciprocal increase in the number of connections to manage, secure, and ultimately, trust. The onus is on manufacturers to keep customer data secure and ensure personal safety, which starts with protecting the credentials and permissions that authenticate access – the digital car keys.

Credit: Pixinoo |

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags automotive ITAutomotivecardigital eradigital keys

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Matthew Brazier

PC World
Show Comments

Brand Post

Bitdefender 2019

Taking cybersecurity to the highest level and order now for a special discount on the world’s most awarded and trusted cybersecurity. Be aware without a care!

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Luke Hill


I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?