With an estimated 43 billion Internet of Things (IoT) devices expected to be in use globally in 2023, their security is becoming increasingly important across a wide range of industries. Because IoT devices generate and exchange data, we depend on that data to be accurate and reliable. Furthermore, because they are networked, their exploitation can open attack vectors in larger systems, resulting in widespread and global impacts.
In 2016, the largest botnet attack ever was launched against the service provider Dyn with the Mirai malware. This malware searched for IoT devices running the Linux ARC operating system, attacked them with predefined login information, and infected them. This allowed massive numbers of IoT devices to be used together in Distributed Denial of Service (DDoS) attacks that brought down significant parts of the internet.
Another example was the Medtronic insulin pump vulnerability. In 2019, some Medtronic MiniMed insulin pumps were found to have vulnerabilities in Wi-Fi connectivity, making it possible for an unauthorized person to control the pump with life-threatening consequences.
IoT devices tend to be on smaller platforms that have technical limitations in terms of space, weight and power. As a result, they have lower processing capacity and cannot perform sophisticated authentication and encryption solutions. Additionally, many of our current IoT devices are poorly designed and poorly configured once installed, meaning security measures are often inoperative. When you integrate these smart devices into a network that also includes much older and simpler devices, the potential for impact increases dramatically.
Many organizations are working hard to put the basics of security in place and recognize that they have a problem. However, convincing companies to invest in long-term IoT security often presents a significant challenge.
Quantum computing, while it may take a decade or two, poses a threat to IoT devices that have been secured against the current threat and could remain in operation for many years. To address this threat, governments are already spending billions, while organizations like NIST and ETSI have been initiating programs to identify and select post-quantum algorithms (PQA) for several years, and industry and academia are innovating. And we’re getting close to agreeing on a suite of algorithms that are likely to be quantum secure; both the UK NCSC and the US NSA support the strong public key cryptography approach using PQA in conjunction with much larger keys.
The NCSC recommends that most users follow standard information security best practices and wait for the development of NIST-compliant quantum security cryptography (QSC) products. This potentially leaves IoT with a problem. Most of these improved QSC standards appear to require significant computing power to handle complex algorithms and long keys, and many IoT sensors may not be able to run them.
Therefore, until NIST provides its QSC standards we won’t know if they will work within the constraints of the IoT. Otherwise, there is a gap in the formal development of QSC IoT solutions.
This is a rapidly evolving area with many innovations, so it might make sense to look elsewhere for viable alternative solutions.
Asymmetric cryptography, for example, might be viable with low-resource PQC algorithms. Symmetric encryption is currently favored by the IoT industry as a low-power mechanism, but the problem of secretly distributing the same keys to each party remains, and quantum improvements could increase power requirements. Then there are key symmetrical creation mechanisms where innovation can help, as alternative approaches are considered.
These include quantum key distribution (QKD) which uses the properties of quantum mechanics to establish a key agreement, instead of using difficult mathematical problems that quantum computers will solve quickly. However, QKD requires specialized hardware and does not provide a way to easily enable authentication, and the NCSC does not endorse QKD for any government or military applications.
Another option is the secure key chord (SKA). Some companies are experimenting with computationally secure ways to digitally create symmetric keys on trusted endpoints. This type of low-power software-based functionality offers an attractive alternative for the IoT. But while independent verification of this type of capability is underway, this approach is not on either NIST’s or ETSI’s radar.
Conclusions
Most IoT applications are not facing an immediate threat of quantum computing. However, the IoT industry is vulnerable to standard cyberthreats and there seems to be a lack of commitment to do much about it.
If we want to endow our increasingly connected IoT world with the quantum threat, then we need to take three actions. The first is to foster a security-conscious culture among users and embed IoT security as standard practice. The second is to urge manufacturers to adhere to established safety standards, ensuring that devices are intrinsically safe by design. Ultimately, research into low-resource quantum security solutions must intensify, and we should embrace the development of new approaches.
Jonathan Lane is a cyber security expert at PA Consulting
#Quantum #Threat #Implications #Internet #Computer #weekly
Image Source : www.computerweekly.com