Hidden 'CarKey' privacy policy in iOS 13.6 beta hints at imminent release
Text relating to Apple's rumored "CarKey" feature has been discovered buried in iOS 13.5.1 and the first iOS 13.6 beta, suggesting a launch could be just over the horizon.
Credit: BMW
The feature, which was first hinted at by code within iOS 13.4, would allow Apple users to turn their iPhones or Apple Watches into digital NFCs "keys" for vehicles. Those keys could be used to lock, unlock and even start a vehicle.
While an exact launch timeline is still unclear, German site iPhone-ticker.de spotted the aforementioned privacy policy, which was discovered in various versions of iOS 13.
Although the information doesn't reveal any new details about "CarKey," it does summarize how the feature will work.
The leaked CarKey privacy policy. Credit: iPhone-ticker.de
Users will be able to add keys to their Wallet app by signing into their car maker's app or by entering a pairing code in Wallet. From there, keys will be stored alongside credit cards, passes and other items in Wallet.
"If successful, your device sends Apple a one-time owner redemption token. Apple uses the redemption token, information about your Apple account and your device, and your location at the time of provisioning (if Location Services is enabled) for fraud prevention purposes," the policy reads.
Apple adds that users can share their car keys by tapping an Invite button and selecting the level of access they'd like to grant to another user. That corroborates details first revealed in a series of leaked screenshots earlier in 2020.
As far as what personal information is kept or sent, Apple says that vehicle manufacturers may connect a user's device identifier with other information they have on a user. Apple itself said it doesn't collect or retain data on vehicle or CarKey usage.
It's a similar case for data about key sharing, with Apple stating that it "forwards to the vehicle manufacturer information about with whom a pass is shared and what level of access was granted."
Apple will partner with automakers for the feature, so it could end up as an add-on option for customers akin to CarPlay. Data found within a leaked build of iOS 14 suggests that BMW may be one of the first manufacturers to support "CarKey."
"CarKey" will use biometric authentication such as Face ID and Touch ID to secure keys, although there are signs of an "Express Mode" that would allow them to use it without authenticating.
Given that code related to CarKey was found in iOS 14, there's a good chance that the feature will be unveiled at Apple's virtual WWDC 2020 event on June 22.
Credit: BMW
The feature, which was first hinted at by code within iOS 13.4, would allow Apple users to turn their iPhones or Apple Watches into digital NFCs "keys" for vehicles. Those keys could be used to lock, unlock and even start a vehicle.
While an exact launch timeline is still unclear, German site iPhone-ticker.de spotted the aforementioned privacy policy, which was discovered in various versions of iOS 13.
Although the information doesn't reveal any new details about "CarKey," it does summarize how the feature will work.
The leaked CarKey privacy policy. Credit: iPhone-ticker.de
Users will be able to add keys to their Wallet app by signing into their car maker's app or by entering a pairing code in Wallet. From there, keys will be stored alongside credit cards, passes and other items in Wallet.
"If successful, your device sends Apple a one-time owner redemption token. Apple uses the redemption token, information about your Apple account and your device, and your location at the time of provisioning (if Location Services is enabled) for fraud prevention purposes," the policy reads.
Apple adds that users can share their car keys by tapping an Invite button and selecting the level of access they'd like to grant to another user. That corroborates details first revealed in a series of leaked screenshots earlier in 2020.
As far as what personal information is kept or sent, Apple says that vehicle manufacturers may connect a user's device identifier with other information they have on a user. Apple itself said it doesn't collect or retain data on vehicle or CarKey usage.
It's a similar case for data about key sharing, with Apple stating that it "forwards to the vehicle manufacturer information about with whom a pass is shared and what level of access was granted."
Apple will partner with automakers for the feature, so it could end up as an add-on option for customers akin to CarPlay. Data found within a leaked build of iOS 14 suggests that BMW may be one of the first manufacturers to support "CarKey."
"CarKey" will use biometric authentication such as Face ID and Touch ID to secure keys, although there are signs of an "Express Mode" that would allow them to use it without authenticating.
Given that code related to CarKey was found in iOS 14, there's a good chance that the feature will be unveiled at Apple's virtual WWDC 2020 event on June 22.
Comments
I would never rely on this feature for daily use simply because I don’t trust Apple and their updates. I could easily see ‘10.14.2’ breaking this functionality while the family and I are ‘out to dinner’, or at the office, leaving us/me stranded. It is a nice feature but only as a backup.
Key fob battery dies while in the middle of the Africa.
Key fob is destroyed by a herd of stampeding Cape buffalo.
Key fob is stolen by a monkey while hiking.
My daughter needs to borrow my car while it's at home and I'm in Africa filming Cape buffalo.
There's something in my car that someone needs and I'm in the hospital recovering from wounds sustained while trying to take pictures of angry Cape buffalo.
I can think of a few more, even a few that don't involve Cape buffalo.
You know that the car manufacturer, or at least the dealer, can reproduce your car key anytime they want, right? They have a record of your car's key, whether it's a "old" style metal one or a new fangled electrical one.
I've been reading through that information, and they don't describe exactly how the manufacturer is involved. The only conclusion consistent with what I've read so far is the manufacturer operates something like a certificate authority which needs to sign the device's key for the car to trust it. If that's the case, though, they would be able to generate their own key and sign it themselves such that the car would trust it.
I also see mention that only one device can be an owner device with full authority over the car, but I don't see mention of how to replace the owner device if it is lost or stolen. A description of that process would probably provide more insight into just how trustworthy the system is.
There's only one master device (your phone) because people typically have only one phone. Multiple master devices don't make sense. As the phone and car owner, you can give as little or as much control to an additional driver as you'd like. No one else can give out control of your car. That's what they mean by full authority.
From their description, it sounds like they request a key pair from the secure enclave, which will not hand out the private key to anybody (it stores the private key internally and performs operations with it, but will not disclose it; such keys do not survive backup and restoration onto another device). They then send the public key off to the manufacturer to be signed. Once it's signed, the public key and signature are handed to the car along with some kind of challenge response which only the private key corresponding to that public key could have created.
If my guess above is correct, the manufacturer could sign a key for some other device (or even sign a purely software key pair), which would then be able to unlock and start the car, even after it is no longer under any kind of lien.
The exact process of replacing the owner device would confirm or refute this.