IoT devices are the low-hanging fruit for attackers — How will PQC impact them?
September 2023 Update: Marking a nearly seven-year process and the final steps towards the world’s first post-quantum cryptography standards, the U.S. National Institute of Standards and Technology (NIST) released draft standards for quantum-safe algorithms on Aug. 24.
The transition to quantum-safe cryptography will hinge on two steps: inventorying all cryptographic assets and achieving crypto-agility through automation and centralized management. DigiCert’s customers investing in crypto-agility have deployed DigiCert® Trust Lifecycle Manager, which provides a comprehensive solution to discover, manage and automate digital trust across their organization.
For additional guidance on preparing for the transition to quantum cryptography, please refer to this blog.
Quantum computers will change the way many industries operate, and the impacts of quantum computing will affect all aspects of society. Quantum computers could be used to solve complex problems faster and more accurately than traditional computers, leading to new discoveries and breakthroughs in various sectors (read our predictions about quantum’s impact by sector here). However, quantum computers could break many of the encryption algorithms currently used to secure digital trust. Thus, we’re exploring how quantum computing will impact security of various interactions that businesses and individuals rely on in everyday life in a series of blog posts.
Today, we’re diving into the Internet of Things (IoT), or all the physical devices that connect to the internet. The IoT is a broad category including both the consumer IoT (CIoT) and industrial IoT (IIoT), meaning everything from smart home devices like thermostats, voice assistants and cameras to manufacturing, transport and healthcare devices. Once quantum computers become a reality, IoT devices, which are already often vulnerable to attacks, will become one of the most vulnerable verticals. Imagine the consequences if PQC enables an attacker to hack into the devices enabling smart cities, connected health devices, connected vehicles or even an individual’s smart home. Thus, this discussion will center around the vulnerabilities in the IoT and what is being done to secure it, both pre- and post-quantum computing.
Attackers frequently target IoT devices, which are considered the low-hanging fruit, or most vulnerable part of a network to attack. Hackers can use IoT device vulnerabilities to gain access to other devices or networks, making them an attractive target. In the first two months of 2023, there was a 41% increase in attacks on IoT devices from 2022, and trip the number from 2021. This is especially concerning given that there will be an estimated 75 billion IoT devices by 2025.
Part of the reason that IoT devices are notorious for being easy targets is that they have limited computing capacities and memory. Many IoT devices are designed to be low-cost and disposable, and thus it can be difficult to deploy software updates to them. While some IoT devices have more resources than others (e.g., in the industrial IoT space), those are often very expensive and impossible to replace. Still, some devices (e.g. gas pumps in remote locations) may not have any network connectivity
at all.
This video explains why IoT security is so challenging:
Once quantum computers become a reality, the algorithms in place that protect the IoT could become vulnerable, exposing sensitive data transmitted by IoT devices, compromising confidentiality and integrity. There could also be risks in the supply chain, as quantum computing could enable adversaries to compromise device firmware, cryptographic keys or the manufacturing process itself, introducing vulnerabilities that are difficult to detect and mitigate.
IoT devices often have relatively long lifetimes, and without a clear way to deploy software updates, they become vulnerable quickly. For devices with lifetimes of 10 to 20 years or longer, device manufacturers should deploy these with post-quantum algorithms today. While we don’t know exactly when quantum computers will be relevant for attacks on devices, we know that at least some devices deployed today with longer lifetimes already will need PQC algorithms before the end of their life. At a minimum, any long-lived devices that are not deployed with PQC algorithms today will need a plan for upgrading in the future.
However, there are regulatory movements in place to increase IoT security and transparency even pre-quantum computing. For instance, the EU Cyber Resilience Act will likely require device manufacturers to encrypt sensitive data, enforce regular device updates and provide more information to consumers to make informed purchasing decisions. On the later point, in the United States and other countries, IoT security labels, similar to nutrition labels, are rolling out. The U.S. National Institute of Standards and Technology (NIST) has provided a framework for IoT labelling that will include information about not only the device but also the supporting software.
These regulatory changes now will be useful when quantum computers emerge as consumers will have more transparency about the security of their devices and there will likely be more security enforced in the IoT, which will hopefully move the IoT from the low-hanging fruit of the industry to a little harder to reach for attackers.
As NIST selected PQC algorithms to replace the traditional cryptographic algorithms in place on the internet, special consideration was given to ensure that the selected PQC algorithms could be used by IoT devices. IoT devices need a wide range of cryptographic services including:
Thus, device manufacturers need to evaluate and make a plan now for how to include NIST’s selected PQC algorithms into their products and software. Unfortunately, these algorithms are not quick swaps for the traditional algorithms in place today and it may take time to transition to PQC, leaving a transitional period during which IoT devices remain vulnerable. Meanwhile, creating a plan to transition is essential to preparing to secure the IoT against quantum computers.
Additionally, as previously discussed, IoT devices with long lifetimes deployed today will need to be enabled to receive software updates. The “Software Update for the Internet of Things” standards at IETF explicitly include post-quantum support and regulation from the EU will also help enforce regular device updates.
Finally, manufacturers can create more transparency around IoT security by adopting IoT labelling, which is already regulated in several markets like Singapore, Germany, Finland and with regulation underway in the U.S. and E.U.
In sum, it is crucial for IoT device manufacturers, network operators and users to stay informed about the advancements in post-quantum security and prepare for the future cryptographic transition to mitigate potential security risks.
Additionally, organizations should remain crypto-agile — knowing where crypto is being used and having the tools to identify issues and fix them quickly. Crypto-agility is a security best practice regardless, but with quantum computers on the horizon it will be even more important so that organizations can more easily swap out their crypto for quantum-resistant encryption methods.
DigiCert’s customers investing in crypto-agility have deployed DigiCert® Trust Lifecycle Manager, which provides a comprehensive solution to discover, manage and automate digital trust across their organization. Trust Lifecycle Manager is redefining the meaning of certificate management by integrating CA-agnostic certificate management across public and private trust to deliver centralized visibility and control, prevent business disruption and secure identity and access.
For more information on how to prepare for the quantum cryptography transition, check out this blog.