Securing digital car keys: Managing risk and authentication in connected cars

Credit: Duh84bk |

Few Australian families do not own a car. In fact, the 2016 Census revealed that more than 90 per cent of Australian households have access to a car, and, according to the motor vehicle census, Australia’s car population is growing faster than its human population.

With the rise in real estate prices and population growth contributing to the expansion of our cities, and the development of adequate public transport links slow to catch up, many of us are spending a lot of time on the road. The 2016 Census found that nearly seven in ten Australians (69%) drive themselves to work, with a further 5 percent travelling as passengers.

As we become more connected, the digital features offered by the vehicles we spend so much time in are becoming more important to us. Features including satellite navigation, Bluetooth mobile connectivity and multimedia streaming are increasingly offered as standard, propelling the global connected car market to more than $219 billion by 2025.

Until about ten years ago, the biggest car-related risk (aside from road safety) for drivers was their physical car keys being stolen. But with digital transformation moving faster than the average car thief, digital keys will be far more sought after by cybercriminals.

All connected vehicles can be hacked

Let’s assume the car manufacturer has a central system that gets continuous feeds from all its vehicles, such as geolocation data. This data may be stored in the cloud or on a server at the manufacturer’s premises. In order to connect to this system, your car will have to authenticate itself in some way, which creates a new trust issue. How does the manufacturer trust – if your car is talking to its central system – that it is in fact your car? Or how do you trust – if the central system is talking to your car – that it is in fact the manufacturer’s central system?

Credit: Richair |

This connectivity is a known vulnerability to hackers, who will try to compromise it provided they have two things. First, an access route into the system, such as an open WiFi network. This has been a known technique since 2015 when hackers remotely compromised a Jeep Cherokee and paralysed it on the road. Second, they will need your digital keys to get in. These are credentials or permissions that authenticate access.

This means that if your car is connected to an open communication source, and there’s a weak or compromised password, attackers can get the keys to access to your vehicle.

The driverless threat

You’re probably wondering: if an attacker does gain access, what could they potentially do? In 2015 and 2016, the hackers that compromised the Jeep Cherokee demonstrated the ability to hack into electronic control units, such as multimedia and temperature systems. They were even able to disable the brakes at low speeds, and tamper with the steering and cruise control.

Inevitably, the threat will become greater as technology advances – particularly when driverless cars hit the road in 2021. Our connected cars will have far superior and complex capabilities and the biggest danger will be an attacker taking control of the vehicle.

Credit: Sensay |

An industry-wide effort is underway to ensure that cybersecurity is fully integrated into the development of driverless vehicles. However, were an attacker to compromise that connection, they could impersonate communications and send subversive commands to the car. Alternatively, they could tell the central system that the car is in a particular location when it’s actually somewhere entirely different, ultimately risking a forced crash.

Attackers are always watching and learning

While gaining access may be bread and butter, attackers will have to teach themselves how to configure or administrate driverless cars. However, this won’t take too long. There are many examples of attackers lurking inside new infrastructure until they have the knowledge to take control and cause considerable damage.

In the cases of the Swift Bangladesh Central Bank heist and the Ukranian power network hacks, for example, attackers accessed critical assets then watched and learned until they knew how to make a transaction or turn off the power. We can expect to see a similar approach in attempts to compromise driverless cars, with attackers potentially holding the keys for a long time before they take the wheel.

Read more: Microsoft goes after TomTom -- and Linux

Of course, gaining full control of a connected car will not be the only motivation for cybercriminals. They will also see value in tracking the journeys of high-profile targets. Attackers could surreptitiously collect travel data, while also deploying advanced social engineering techniques, to build a comprehensive picture of the target’s habits and whereabouts. The most significant outcome in this scenario could be a new type of online blackmail.

As car connectivity continues to become more sophisticated, there is a reciprocal increase in the number of connections to manage, secure, and ultimately, trust. The onus is on manufacturers to keep customer data secure and ensure personal safety, which starts with protecting the credentials and permissions that authenticate access – the digital car keys.

Credit: Pixinoo |

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags automotive ITAutomotivecardigital eradigital keys

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Matthew Brazier

PC World
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill


I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?