The cyber risk of virtual car keys

Connected cars need to offer adequate protection from potential cyber risks, but at the same time they have to permit discrimination-free access to the vehicle’s data so that third parties can perform servicing. Just how complex that can turn out to be in practice was discussed by the experts at the 8th Allianz Motor Day on September 22, 2020, focusing on the example of the “virtual car key.” 

That key opens, locks, and starts the car using a smartphone, which replaces a conventional car key. 

It’s convenient, but it also raises questions. For instance, what’s the data security situation? What happens if the system gets hacked? And questions also arise for insurers, especially in the event of a total theft. After their car is stolen, the vehicle’s operator has to provide us with the full set of keys when claiming the loss. But how do you do that? How can they prove the vehicle was really stolen, and that it isn’t just being used by an authorized driver who somehow “acquired” a virtual key at some point? And the insurer has to answer the questions: What do we need to investigate, and how?

After a car theft, a customer has to turn in the full set of keys to the insurance company to get the claim settled. If the person has a digital key, besides turning in all the physical keys, they also have to name everyone who held an authorized virtual key at the time of the theft, and prove that the authorization was canceled.

An international standard for virtual keys

That’s why Allianz joined forces with RCAR, an international association of automotive research centers with 24 members in Europe, Asia, North America, South America, and Australia, to define an international standard for virtual vehicle keys so our clients can be compensated quickly and without complications after a total theft, even when a virtual key is used. On top of that, to protect clients, the standard also defines yardsticks for the IT security of the entire system, including the vehicle, the smartphone, the back end, the communications, and user interactions. 

In addition, as part of its initial insurance classification, since March 2020 the association of the German insurance industry (GDV) has been covering these systems if they’re included or being prepared for the vehicle.

Virtual car keys must not be duplicable

“A client has to be able to trust a virtual key. Nobody is going to send in their smartphone to the insurance company if their car is stolen,” says Jochen Haug, Chief Claims Officer at Allianz Versicherungs-AG. “In other words, the key can’t be duplicable, and in the event of a total theft, we need a transparent view of who was authorized to use what key, and when.”

The four most important requirements for a virtual car key

  • A virtual car key must not be duplicable. Analogously to a physical key, it must be possible to tell how many keys are in circulation.
  • All authorized users of the vehicle must be listed for the client – and in the event of a claim, for the insurer – in a way that’s easily understandable, transparent and unchangeable. The client must also be able to provably cancel all virtual keys immediately in the event of a total theft.
  • Authorization to access the car must be separate from the authorization to drive it, to keep the existing protection provided by the electronic engine immobilizer from being circumvented, and to ensure the security of future service models like “delivery to the trunk.”
  • The data environment for making and storing virtual keys must be strictly separated from other applications. All data critical to security – like authorizations and key calculation – must be stored or carried out in a secure storage and execution environment. 

The Allianz Group is one of the world's leading insurers and asset managers with 126 million* private and corporate customers in more than 70 countries. Allianz customers benefit from a broad range of personal and corporate insurance services, ranging from property, life and health insurance to assistance services to credit insurance and global business insurance. Allianz is one of the world’s largest investors, managing around 716 billion euros** on behalf of its insurance customers. Furthermore, our asset managers PIMCO and Allianz Global Investors manage nearly 1.8 trillion euros** of third-party assets. Thanks to our systematic integration of ecological and social criteria in our business processes and investment decisions, we are among the leaders in the insurance  industry in the Dow Jones Sustainability Index. In 2021, over 155,000 employees achieved total revenues of 148.5 billion euros and an operating profit of 13.4 billion euros for the group.

These assessments are, as always, subject to the disclaimer provided below.

*Including non-consolidated entities with Allianz customers.
** As of June 30, 2022

Press contacts

Christian Weishuber
Allianz Deutschland AG
As with all content published on this site, these statements are subject to our cautionary note regarding forward-looking statements:

Further information

Allianz Direct launches partnership with CHECK24

Allianz Direct and CHECK24 are launching a strategic partnership in Germany and Spain: in future, consumers in both countries will be able to access Allianz Direct products on CHECK24's comparison portals. The first joint product launch will be in motor insurance in Germany.

Allianz X co-leads USD 250 million Series F investment round in cyber insurtech Coalition, Inc.

The funds raised in this investment round will be used to accelerate Coalition’s rapid growth, power its international expansion, and broaden the services Coalition offers to help organizations manage digital risk. Coalition is a leading provider of cyber insurance and security to Small and Medium Enterprises (SMEs).

Allianz enters multi-year partnership with cyber MGA Coalition

Allianz is providing Coalition with long-term committed capacity for its US cyber insurance programs and will lead Coalition’s UK cyber program when it launches later this year.