Car keys security in iOS
The car keys feature is supported natively in supported iPhone devices and paired Apple Watch devices. Car keys are represented as passes (created by Apple on behalf of the automaker) in the Wallet app and support the full Apple Pay card life cycle (iCloud Lost Mode, Remote Wipe, local pass deletion, and Erase All Content and Settings). In addition to the standard Apple Pay card management, shared car keys can be deleted from the owner’s iPhone, Apple Watch, and in the vehicle’s Human Machine Interface (HMI).
Car keys can be used to unlock and lock the vehicle and to start the engine or set the vehicle into drive mode. The “standard transaction” offers mutual authentication and is mandatory for engine start. Unlock and lock transactions might use the “fast transaction” when required for performance reasons.
Keys are created through pairing an iPhone with an owned and supported vehicle. All keys are created on the embedded Secure Element based on elliptic curve (NIST P-256) on-board key generation (ECC-OBKG), and the private keys never leave the Secure Element. Communication between devices and the vehicle use the NFC standard, and key management uses an Apple to automaker server API with mutually authenticated TLS. After a key is paired to an iPhone, any Apple Watch paired to that iPhone can also receive a key. When a key is deleted either in the vehicle or on the device, it can’t be restored. Keys on lost or stolen devices can be suspended and resumed, but reprovisioning them on a new device requires a new pairing or sharing.
The owner must prove possession of the vehicle (the method is dependent on the automaker) and can start the pairing process in the automaker’s app using an email link received from the automaker or from the vehicle menu. In all cases, the owner must present a confidential one-time pairing password to the iPhone, which is used to generate a secure pairing channel using the SPAKE2+ protocol with the NIST P-256 curve. When using the app or the email link, the password is automatically transferred to the iPhone where it must be entered manually when pairing is started from the vehicle.
The owner’s paired iPhone can share keys to eligible family members’ and friends’ iPhone devices (and their paired Apple Watch devices) by sending a device-specific invitation using iMessage and the Apple Identity Service (IDS). All sharing commands are exchanged using the end-to-end encrypted IDS feature. The owner’s paired iPhone keeps the IDS channel from changing during the sharing process.
Upon acceptance of the invitation, the family member’s or friend’s iPhone creates a digital key and sends the key creation certificate chain back to the owner’s paired iPhone to verify that the key was created on an authentic Apple device. The owner’s paired iPhone signs the ECC-public key of the other family member’s or friend’s iPhone and sends the signature back to the family member’s or friend’s iPhone. The signing operation in the owner device requires user authentication (Touch ID, Face ID or passcode entry) and a secure user intent described in Uses for Touch ID and Face ID. The authorization is requested when sending the invitation and is stored in the secure element for consumption when the friend device sends back the signing request.
Keys can be deleted on the keyholder device from the owner device and in the vehicle. Deletions on the keyholder iPhone are effective immediately, even if the keyholder uses the key. Therefore a strong warning is shown before the deletion.
Deletions of keys in the vehicle depends on whether the automaker requires the vehicle to be online for the deletion or not.
In both cases, the deletion on keyholder device or vehicle is reported to a key inventory server (KIS) on the automaker side, which registers issued keys for a vehicle for insurance purposes.
The owner can request a deletion from the back of the owner pass. The request is first sent to the automaker for key removal in the vehicle. The conditions for removing the key from the vehicle are defined by the automaker. Only when the key is removed in the vehicle will the automaker server send a remote termination request to the keyholder device.
When a key is terminated in a device, the applet that manages the digital car keys creates a cryptographically signed termination attestation, which is used as proof of deletion by the automaker and used to remove the key from the KTS.
A secure channel between the reader and an iPhone is initiated by generating ephemeral key pairs on the reader and the iPhone side. Using a key agreement method, a shared secret can be derived on both sides and used for generation of a shared symmetric key using Diffie-Hellman, a key derivation function, and signatures from the long-term key established during pairing.
The ephemeral public key generated on the vehicle side is signed with the reader’s long-term private key, which results in an authentication of the reader by the iPhone. From the iPhone perspective, this protocol is designed to prevent privacy-sensitive data from being revealed to an adversary intercepting the communication.
Finally, the iPhone uses the established secure channel to encrypt its public key identifier along with the signature computed on a reader’s data-derived challenge and some additional app-specific data. This verification of the iPhone signature by the reader allows the reader to authenticate the device.
The iPhone generates a cryptogram based on a secret previously shared during a standard transaction. This cryptogram allows the vehicle to quickly authenticate the device in performance sensitive scenarios. Optionally, a secure channel between the vehicle and the device is established by deriving session keys from a secret previously shared during a standard transaction and a new ephemeral key pair. The ability of the vehicle to establish the secure channel authenticates the vehicle to the iPhone.
The key tracking server of the automaker doesn’t store the device ID, SEID, or Apple ID. It stores only a mutable identifier—the instance CA identifier. This identifier isn’t bound to any private data in the device or by the server, and it’s deleted when the user wipes their device completely (using Erase All Contents and Settings).