From Fob to Phone: How CCC Digital Key 4.0 Shapes Automotive Cybersecurity

By Vit Sembera (Senior Threat Researcher, Automotive) 

Recently announced by the Car Connectivity Consortium (CCC), CCC Digital Key 4.0 represents a pivotal step in striking a balance between innovation and security in an increasingly software-driven automotive landscape.  

In this blog, we discuss what’s new in CCC Digital Key 4.0, along with its broader trends and use cases. But first, we take a closer look at the evolving role of digital vehicle keys and their implications for automotive cybersecurity.

Why digital vehicle keys 

Digital vehicle keys are replacing traditional physical keys and key fobs by offering convenience and flexibility. Beyond locking, unlocking, and starting the engine, they go further by adding new capabilities, including remote key sharing for family, valet, or rentals, as well as integration into apps for fleet and mobility services. 

The adoption of digital vehicle keys is accelerating rapidly. In 2024, about half of new cars used passive keyless entry (PKE), while the rest relied on remote keyless entry (RKE). Today, nearly all modern vehicles have some form of keyless access, driving global growth. Analysts project that the digital vehicle key market will grow from approximately $2.1 billion in 2022 to $11.6 billion by 2031.  

Smartphone-based keys are also becoming mainstream, with the CCC Digital Key standard enabling many of these implementations. Major brands such as Apple, Google, and BMW already support the standard. Other automotive OEMs, including Acura, Cadillac, Porsche, and Rivian, are also rolling out phone-as-key features. 

At its core, digital keys combine flexibility, connectivity, and integration with connected services, such as car sharing, remote deliveries, and IoT ecosystems, unlocking capabilities far beyond those of traditional fobs. 

From early PKE systems to UWB technology 

Over the past decade, vehicle access technologies have undergone a significant transformation. Understanding this evolution helps explain how today’s standards, such as the CCC Digital Key 4.0, deliver interoperability and enhanced security across various ecosystems. 

Remote vs passive access 

Modern digital keys integrate multiple technologies to support both remote and passive entry modes, going beyond what traditional key fobs offer. While remote key fobs work within a limited range and require pressing a button to lock/unlock, PKE systems automatically unlock as the driver approaches.  

Digital keys build on these capabilities by combining Near Field Communication (NFC) taps for close-range entry, Bluetooth Low Energy (BLE) for remote commands, and ultra-wideband (UWB) for seamless, proximity-based unlocking. 

RF protocol evolution 

Early PKE systems relied on proprietary low-frequency (LF) protocols. As vehicles become more connected, BLE emerged, first seen in the Tesla Model 3 (2017), and quickly became a standard for wireless keyless entry. NFC also appeared, with implementations such as the Mercedes keycard (2016) enabling very close-range vehicle access. 

The CCC Digital Key (DK) standard is built on these innovations: 

• Digital Key 2.0 (2020) standardized NFC-based vehicle access. 
• Digital Key 3.0 (2021) added BLE and UWB for secure hands-free unlocking. 
• Digital Key 4.0 (2025) builds on all three protocols, focusing on interoperability across devices.  

Why UWB is necessary  

UWB is emerging as the most critical enabler for the next generation of digital vehicle keys. For one, it offers 10 to 30 centimeters of accuracy using true time-of-flight (ToF) measurements. In contrast, even BLE 6.0’s techniques, such as angle of arrival (AoA) or channel sounding, deliver accuracy of only about 1 meter.  

Beyond accuracy, UWB signals can theoretically span up to 200 meters and perform better in environments with obstacles or interference, whereas BLE operates in the crowded 2.4 GHz band. While BLE 6.0 introduced improvements such as phase-based ranging (PBR) and round-trip time (RTT) for finer ranging, it still lags behind UWB’s centimeter-level precision. 

UWB’s superior accuracy and reliability make it ideal for secure distance checks, such as defending against relay attacks. While BLE remains valuable for basic connectivity and remote commands, UWB is becoming the preferred choice for high-security applications in modern vehicles.  

In 2024, only about 6% of cars were shipped with UWB-enabled keys. However, this is expected to grow to approximately 40% by 2030 as UWB hardware becomes more widely available. Major OEMs, including BMW, Mercedes, Volkswagen, General Motors, and Tesla, have either adopted or plan to support it in future models. 

Security implications 

SDVs and OTA  

Modern vehicles are becoming software-defined vehicles (SDVs) with centralized architectures, enabling over-the-air (OTA) updates throughout the vehicle’s lifecycle. This shift greatly benefits digital keys significantly. If new vulnerabilities are found in a key app or firmware, automotive OEMs can patch them remotely rather than requiring dealer visits or hardware replacements. 

However, greater connectivity introduces new risks. It’s worth noting that nearly 95% of automotive cyberattacks in 2024 are remote, making secure networking and OTA management essential. Digital keys are part of this connected stack, leveraging secure elements and cloud services, both of which can be updated when vulnerabilities are identified. 

Evolving attack surfaces 

Traditional keyless systems have introduced well-known RF attack vectors. For example, RKE systems, which require button presses, are vulnerable to jamming and replay attacks, while techniques such as rolling-code jamming can trick car owners into leaking valid codes. PKE systems are even more vulnerable to relay attacks, where thieves extend the key’s RF signal to make the car believe the key is nearby, unlocking it without authorization. 

Digital keys, however, introduce a new set of potential attack surfaces involving mobile apps, cloud services, and vehicle connectivity. For example, the recent “PerfektBlue” exploit exposed flaws in BLE implementations within digital key apps and infotainment systems, allowing attackers to remotely unlock cars and even disable immobilizers from up to 30 meters away. This underscores the risks that unpatched BLE or app vulnerabilities can be exploited at a range. 

Built-in security improvements 

Despite new risks, properly implemented digital keys can improve security compared to traditional fobs. Here are some of the ways:  

• Secure elements (SEs). CCC standards use SEs in both smartphones and cars to isolate cryptographic keys, prevent tampering, cloning, and side-channel attacks. 
• UWB distance bounding. UWB-based keys perform cryptographically secured ToF checks to verify proximity, making them highly resistant to relay attacks. In fact, CCC Digital Key 3.0’s integration of UWB has made digital keys even more secure than their traditional counterparts. 
• Multi-factor authentication (MFA). Some implementations, such as Tesla’s PIN-to-drive, add a second verification layer after unlocking. 
• Instant revocation and credential updates allow users to disable compromised keys immediately and issue new ones over the air. 
• End-to-end encryption. CCC-certified systems encrypt data between the smartphone, vehicle, and backend servers, ensuring secure communication across all components. 

The CCC Digital Key 4.0 Standard 

Overview and interoperability 

Announced in July 2025, the CCC Digital Key 4.0 specification builds on Digital Key 3.0 by focusing on cross-platform and cross-version interoperability. Devices and vehicles from different automotive manufacturers are expected to work seamlessly together. 

At the CCC’s 13th Plugfest, hosted by Apple, Digital Key 4.0 was tested in real-world scenarios to validate compatibility. For example, a Digital Key 3.0-enabled smartphone should still unlock a Digital Key 4.0 vehicle, and vice versa. As one report noted, CCC Digital Key 4.0 continues to support NFC, BLE, and UWB, with the requirement that participating devices must support at least one of these wireless modes. 

New features and improvements 

While full details are still emerging, CCC Digital Key 4.0 introduces several improvements: 

• Unified ecosystem coverage. Digital Key 4.0 certification now integrates NFC tap-to-unlock, BLE for RKE, and UWB for secure passive entry.  
• Cross-platform sharing. Digital keys can be securely shared across Android and iOS devices. 
• Hands-free precision unlocking. BLE proximity detection combined with UWB’s precision enables secure unlocks with the phone still in your pocket.  

For end users, CCC Digital Key 4.0’s improvements operate mostly behind the scenes. While they’ll continue to use NFC, BLE, or UWB to unlock their vehicles, the update delivers broad compatibility and more consistent performance across different car models and device ecosystems.  

UWB LRP vs HRP 

One technical area of interest is UWB support. While Digital Key 3.0 mandated High-Rate Pulse (HRP) UWB for secure distance bounding under IEEE 802.15.4z, some chipmakers such as 3db Access (now part of Infineon) have developed dual-mode UWB radios capable of Low-Rate Pulse (LRP) to conserve power in battery-operated devices. 

As of now, CCC has not confirmed official LRP support in Digital Key 4.0. Future UWB developments, such as the upcoming IEEE 802.15.4ab standard, introduce Narrowband (NB)-Assisted UWB. For now, HRP remains the secure default defined by CCC. 

Competition

There is currently no competing global standard with the same scope as the CCC Digital Key. Some automakers, such as Tesla, continue to rely on proprietary phone-to-car systems, and China has domestic UWB-based solutions from vendors outside CCC’s ecosystem. Meanwhile, the Bluetooth SIG operates its own Car Access Work Group, focusing on BLE, but it has not yet reached the same level of maturity or adoption scale.  

With major members such as Apple, Google, and BMW, the CCC remains the closest thing to a universal digital key standard, positioning Digital Key 4.0 as the industry’s focal point for interoperability. 

Broader trends and use cases 

Expanding beyond personal vehicles 

Digital keys enable many emerging cases beyond personal cars. For example, fleet and mobility operators can issue and revoke keys on demand, improving efficiency and security. Commercial fleet software, such as Irdeto Keystone, allows managers to grant driver access at the start of the shift and automatically disable keys once it ends, ensuring the right driver gets the right vehicle at the right time. 

Public transit and shared mobility transportation, such as school buses, shuttles, car-sharing fleets, and delivery vans, can use digital keys for access control and auditing, improving security and logistics. For example, a school bus operator can ensure that only authorized drivers can remotely unlock or start the bus. At the same time, guardians may be granted limited, permission-based access to track usage securely.  

Integrating with in-car services 

Digital keys are increasingly merging with broader in-car digital ecosystems, opening new opportunities for personalized services and automation. They can enable: 

• Geofencing-based permissions: keys that only function within certain areas or time windows 
• Predictive maintenance alerts: leveraging connected vehicle data to schedule servicing proactively 
• Secure in-car payments: authorizing purchases or services directly through the vehicle interface
• Car-sharing with smart contracts: supporting seamless, auditable key handovers between multiple users.  
  

Additionally, upcoming child-presence-detection (CPD) regulations will leverage UWB’s precise localization to detect occupants. Digital key modules could integrate with these detection systems, reinforcing safety-critical applications beyond just vehicle access. 

In summary, CCC Digital Key 4.0 is part of a rapidly expanding ecosystem. By leveraging multiple RF technologies, it combines convenience with security while enabling a wide range of new vehicle experiences. 

As vehicles become more connected – with McKinsey & Company projecting the automotive software market to reach $462 billion by 2030 – standards such as CCC Digital Key 4.0 play a critical role in automotive cybersecurity, ensuring that features from keyless entry to OTA updates remain not only interoperable but also secure.