The cyber risk of virtual car keys

Connected cars need to offer adequate protection from potential cyber risks, but at the same time they have to permit discrimination-free access to the vehicle’s data so that third parties can perform servicing. Just how complex that can turn out to be in practice was discussed by the experts at the 8th Allianz Motor Day on September 22, 2020, focusing on the example of the “virtual car key.” 

That key opens, locks, and starts the car using a smartphone, which replaces a conventional car key. 

It’s convenient, but it also raises questions. For instance, what’s the data security situation? What happens if the system gets hacked? And questions also arise for insurers, especially in the event of a total theft. After their car is stolen, the vehicle’s operator has to provide us with the full set of keys when claiming the loss. But how do you do that? How can they prove the vehicle was really stolen, and that it isn’t just being used by an authorized driver who somehow “acquired” a virtual key at some point? And the insurer has to answer the questions: What do we need to investigate, and how?

After a car theft, a customer has to turn in the full set of keys to the insurance company to get the claim settled. If the person has a digital key, besides turning in all the physical keys, they also have to name everyone who held an authorized virtual key at the time of the theft, and prove that the authorization was canceled.

An international standard for virtual keys

That’s why Allianz joined forces with RCAR, an international association of automotive research centers with 24 members in Europe, Asia, North America, South America, and Australia, to define an international standard for virtual vehicle keys so our clients can be compensated quickly and without complications after a total theft, even when a virtual key is used. On top of that, to protect clients, the standard also defines yardsticks for the IT security of the entire system, including the vehicle, the smartphone, the back end, the communications, and user interactions. 

In addition, as part of its initial insurance classification, since March 2020 the association of the German insurance industry (GDV) has been covering these systems if they’re included or being prepared for the vehicle.

Virtual car keys must not be duplicable

“A client has to be able to trust a virtual key. Nobody is going to send in their smartphone to the insurance company if their car is stolen,” says Jochen Haug, Chief Claims Officer at Allianz Versicherungs-AG. “In other words, the key can’t be duplicable, and in the event of a total theft, we need a transparent view of who was authorized to use what key, and when.”

The four most important requirements for a virtual car key

  • A virtual car key must not be duplicable. Analogously to a physical key, it must be possible to tell how many keys are in circulation.
  • All authorized users of the vehicle must be listed for the client – and in the event of a claim, for the insurer – in a way that’s easily understandable, transparent and unchangeable. The client must also be able to provably cancel all virtual keys immediately in the event of a total theft.
  • Authorization to access the car must be separate from the authorization to drive it, to keep the existing protection provided by the electronic engine immobilizer from being circumvented, and to ensure the security of future service models like “delivery to the trunk.”
  • The data environment for making and storing virtual keys must be strictly separated from other applications. All data critical to security – like authorizations and key calculation – must be stored or carried out in a secure storage and execution environment. 

The Allianz Group is one of the world's leading insurers and asset managers with more than 100 million retail and corporate customers in more than 70 countries. Allianz customers benefit from a broad range of personal and corporate insurance services, ranging from property, life and health insurance to assistance services to credit insurance and global business insurance. Allianz is one of the world’s largest investors, managing 766 billion euros on behalf of its insurance customers. Furthermore, our asset managers PIMCO and Allianz Global Investors manage 1.7 trillion euros of third-party assets. Thanks to our systematic integration of ecological and social criteria in our business processes and investment decisions, we hold the leading position for insurers in the Dow Jones Sustainability Index. In 2019, over 147,000 employees achieved total revenues of 142 billion euros and an operating profit of 11.9 billion euros for the group.

These assessments are, as always, subject to the disclaimer provided below.

Press contacts

Christian Weishuber
Allianz Deutschland AG
As with all content published on this site, these statements are subject to our cautionary note regarding forward-looking statements:
Disclaimer

Further information

Earthquake and Fire Research Center in Turkey expands family of Allianz research centers

The family of Allianz Centers for Technology is growing. With the Allianz Teknik Earthquake and Fire Testing and Training Center in Turkey, three Allianz Group research centers are now available to support customers and society in loss prevention, improve products and processes, and increase the operational safety of systems and consumer goods.

Insurance Outlook 2020: A Lost Year

Coronavirus will keep the insurance industry in weak health this year. But the pandemic could accelerate emerging trends in the industry. Digitalization, ESG and Asia are some keywords to watch, says the latest Allianz Global Insurance Report...

Allianz Global Corporate & Specialty SE embarks on global transformation program

Under its new leadership, Allianz Global Corporate & Specialty (AGCS), the industrial insurer of Allianz Group, announces a comprehensive transformation program, “New AGCS”, to regain profitability and market leadership in the corporate and specialty insurance segment.