Get the Lowest Prices anywhere on Macs, iPads and Apple Watches: Apple Price Guides updated February 19th


Apple's 'CarKey' API could control your HomeKit smart lock in future

The sudden appearance of the 'CarKey API' may only be the beginning, as Apple is seemingly exploring how it can expand on its cryptographic-based device authentication to bring digital keys into other areas.

The first beta of iOS 13.4 revealed traces of a "CarKey" API, one which would effectively turn the iPhone into an electronic key for a vehicle, similar to current keyless unlocking and starting systems employed today. By bringing the iPhone close to an NFC point, it could feasibly allow a car to start and to be driven, while also offering the option of sharing a version of the key to others with certain permissions disabled, such as enabling a car to be unlocked but not driven.

In a patent application titled "System access using a mobile device" published by the US Patent and Trademark Office on Thursday, Apple seems to be planning a much wider use of the concept than in just vehicles. The abstract for the filing mentions it would be used to authenticate a mobile device for access to system functionality, including "physical access to a system, starting an engine."

This could mean more than a car, and could easily apply to other access-oriented systems, like a smart lock on a home's door, access to an office for work, or to log in to a computer as already offered by the Apple Watch.

The patent application largely covers the possible processes for performing an authentication check between the smartphone and the locking system it is interacting with, rather than its possible applications.

A chart showing how the process of pairing and authentication could flow

A chart showing how the process of pairing and authentication could flow

In short, the pairing system involves the creation of public and private keys on both the mobile device and the locked system sides as part of a pairing process. After pairing, the public keys and a shared secret from the pairing process are used to verify a signed certificate created using private keys, then an encrypted signature is transmitted as proof of verification, allowing further trusted communications to occur.

In various declarations, this can include the mobile device being set to not send identifying information until after verification of the signed certificate, and the exchange of keys using an "elliptic curve Diffie Hellman (DH) function."

It is also proposed the mobile device could share access to functions of the locked system with another device, via another similar certificate-signing process. The sharing could be performed over a private and direct wireless connection between the two mobile devices, without relying on an online server or messaging service to hand over access.

There are mentions of the use of a security token as a form of authentication between the mobile devices, which can be stored in a separate mailbox location for later access.

While sharable, the sharing system would also allow the original authorized device to revoke shared access by sending a revocation message, which is followed by a confirmation receipt generated by a secure circuit.

If implemented into the CarKey API, this can enable a driver to temporarily grant access to their car to a friend's device, either locally or remotely, with the ability to only unlock the vehicle for access and not to drive it, then later revoking permission to access. Elsewhere, this could feasibly grant access to a building to an individual without needing to physically pass a key.

The concept of digital keys on mobile devices lends itself quite neatly to rental-based services. For example, an AirBNB host could grant guests a temporary use key on their device for the duration of a visit, or a car rental business could provide car keys to a customer without the need for a local kiosk or store.

The patent application lists its inventors as Arun G Mathias, Florian Galdo, Matthias Lerch, Najeeb M. Abdulrahiman, Onur E. Tackin, and Yannick Sierra.

Apple files numerous patent applications on a weekly basis. Though the existence of a patent application does not guarantee the concept will appear in a future product or service, it does inform of areas of interest for Apple's research and development efforts.

Apple has previously looked at the use of a mobile device as an authentication token for external uses, including the possibility of it being used to securely present government ID. This could mean an iPhone has a chance of being used as an effective digital passport or driving license, depending on future legislative changes.

On the motoring front, Apple is a charter member of the Car Connectivity Consortium, which published its first Digital Key Release 1.0 standard for NFC-enabled smartphone interactions with a vehicle in 2018. As a charter member, Apple is largely expected to be implementing standards defined by such technical groups.

Apple has also filed a patent application for "Enhanced automotive passive entry" in August 2018, which suggested the use of magnetic antennas and radio frequency antennas to determine the range of an iPhone from a vehicle, to enable features based on location. A November 2019 patent proposed a similar idea, using Bluetooth and Ultra-Wideband to determine the location and to exchange cryptographic keys.

Whether it will be used in the often-rumored Apple Car remains to be seen.