As connectivity continues to expand and the number of devices on a network with it, IoT’s ambition of creating a world of connected things grows. Yet, with pros, comes the cons, and the flip side of this is the growing security challenges that come with it too.
Security has been a perennial concern for IoT since it’s utilisation beyond its use for basic functions like tallying the stock levels of a soda machine. However, for something of such interest to the industry, plans for standardisation remain allusive. Instead, piece meal plans to ensure different elements of security, like zero trust for identity and access management for devices on a network, or network segmentation for containing breaches, are undertaken by different companies according to their needs.
Yet with the advancement of technology, things like quantum computing pose a risk to classic cryptography methods which, among other things, ensures data privacy is secure when being transferred from device to device or even to the Cloud.
Emergence of quantum-resistant cryptography
“The word quantum gets thrown around a lot in various tech circles. Similar to AI, a lot of people have different ideas of what it means and what issues it will bring to device security in the future,” Crypto Quantique CEO and Co-founder Shahram Mossayebi told IoT Insider.
As Mossayebi points out, this issue isn’t a singular one, but the main threat quantum computers pose to IoT security is their ability to potentially break many of the cryptographic algorithms currently used to secure digital communications. This threat arises from the fundamental difference in how quantum computers operate compared to classical computers.
Classical computers and quantum computers operate on fundamentally different principles. Classical computers use bits as their basic unit of information, which can either be a 0 or a 1, representing two states. These bits are processed using logical operations to perform computations, and they operate sequentially, handling one operation at a time. In contrast, quantum computers use quantum bits, or qubits, which harness the principles of quantum mechanics. Unlike classical bits, qubits can exist in multiple states simultaneously due to a property called superposition. This means a qubit can be 0, 1, or any quantum superposition of these states. Additionally, qubits can be entangled, a unique quantum state where the state of one qubit is directly related to the state of another, regardless of the distance between them.
This entanglement and superposition allow quantum computers to process a vast number of possibilities at once, offering potentially exponential increases in computing power for certain tasks, like factoring large numbers, compared to the sequential processing of classical computers.
This difference for IoT security means, whereas classical computers secure IoT devices and networks primarily through encryption algorithms like RSA, which rely on the computational difficulty of factoring large numbers, quantum computers, using algorithms like Shor’s, can factor these large numbers much more efficiently, thanks to their ability to process multiple possibilities simultaneously through quantum superposition and leverage entanglement for complex calculations. This capability could therefore break the RSA encryption swiftly, rendering the current security protocols in IoT networks vulnerable.
To put this into perspective on how it would play out, imagine a smart city where IoT devices are interconnected for various functions like traffic control, public safety monitoring, utility management, and personal devices. These devices continuously communicate with each other and with central servers, relying on encrypted communications to protect data integrity and privacy to insure no one but their operator can change view the information.
Now, if encrypted on a RSA or ECC, if a bad actor hacks into the network with a classical computer, although they can intercept the data, they cannot decipher it. Meaning data security can still be preserved even if network security is breached.
But if that malicious actor gains access to a quantum computer capable of running Shor’s algorithm and intercepts the encrypted traffic between IoT devices in the smart city, the data can not only be intercepted but rapidly decrypted the intercepted data. This could lead to various malicious activities, such as manipulating traffic signals to create chaos, accessing private surveillance footage, or obtaining personal health data from residents’ smartwatches.
Although a lowly hacker in his room won’t likely be the person wielding a quantum computer, as the device is not widely available to the public (yet). The fear for the moment is a bigger, maybe even state-backed institutions or groups could be the one using it, making the threat even greater.
So, if quantum computing is the threat, what’s the solution? Quantum encryption!
Fighting fire with fire
“Quantum-enhanced cryptography revolutionises IoT security by fortifying it against impending quantum threats,” said Mossayebi.
Although Crypto Quantique’s solution QuarkLink focus on a multi-pronged approach – which includes such things like device identity verification and access control to prevent unauthorised access onto IoT networks – it also leverages ‘unbreakable’ encryption through quantum-resistant algorithms and quantum key distribution (QKD).
QKD uses the principles of quantum mechanics to generate and share cryptographic keys. It involves sending quantum states, typically encoded in photons, between two parties. The quantum nature of these states ensures that any attempt at eavesdropping alters their state, thereby alerting the parties to potential security breaches.
Yet with QuarkLink being a software solution, it raises the question about device security in the incoming age of quantum cryptography. Factors such as device architecture, low computational power unable to implement complex encryption methods and even power capacity not allowing it mean determining the feasibility and efficiency of these integrations may pose security weak links.
Dynamic cryptographic solutions, capable of being updated remotely and tailored to different device requirements, are key to addressing this challenge. These solutions must be designed to manage the diverse security needs of a large number of devices without compromising performance or security integrity.
Equally, as the number of IoT devices continues to grow exponentially, scalability becomes a paramount concern. Yet, according to Mossayebi, how security can still be maintained without taking such a granular appporach: “With the proliferation of IoT devices, managing their security individually becomes an impractical and resource-intensive task,” says Mossayebi. “QuarkLink was designed to provide a scalable solution that can secure a vast number of IoT devices efficiently”
Quantum cryptography and its future in IoT security
The integration of advanced cryptography in IoT presents a sturdy solution to the escalating security challenges in this ever-expanding field, and it’s for this reason companies like Crypto Quantique believe it could have great value if standardised. “Quantum cryptography holds immense potential as a standard in IoT security due to its resilience against quantum threats,” explained Mossayebi. “Yet, for industry-wide adoption, several key factors are crucial.”
Firstly, Mossayebi argues robust and standardized quantum-resistant algorithms need wider acceptance and validation within the IoT security community. Secondly, the development of practical, cost-effective quantum-resistant solutions suitable for resource-constrained IoT devices. Thirdly, fostering education and awareness initiatives across industries. And last, collaboration among industry players, researchers, and regulatory bodies.
Yet with emerging trends in IoT security including Edge AI for threat detection; zero-trust architectures as well as regulatory shifts, Crypto Quantique believes it is positioning itself to tackle another of IoT’s soon to be big issue. With the company having just completed a project with ETH Zurich around integrating post-quantum cryptographic algorithms into QuarkLink, they are even preparing themselves for the threat ahead, and when it comes to security, it’s the anticipation of issues which can keep you ahead.