With an estimated 43 billion Internet of Things (IoT) devices expected to be in use globally in 2023, their security is growing in importance across a wide range of sectors. As IoT devices generate and exchange data, we depend on that data to be accurate and reliable. In addition, because they are networked, their exploitation can open attack vectors in wider systems which could result in extensive and global impact.
In 2016 the largest ever botnet attack was launched on the service provider Dyn using the Mirai malware. This malware looked for IoT devices running the Linux ARC operating system, attacked them with default login information and infected them. This enabled huge numbers of IoT devices to be used together in distributed denial of service (DDoS) attacks resulting in significant parts of the internet going down.
Another example was the Medtronic Insulin Pump Vulnerability. In 2019 it was found that some Medtronic MiniMed insulin pumps had vulnerabilities in their Wi-Fi connectivity, making it possible for an unauthorised person to control the pump with potentially life-threatening consequences.
IoT devices tend to be on smaller platforms that have technical limitations on their space, weight and power. As a result, they have lower processing capacity and cannot run sophisticated authentication and cryptographic solutions. In addition, many of our current IoT devices are poorly architected and badly configured when installed meaning that security measures are often not operational. When you integrate these smart devices into a network that also has much older and simpler devices, the potential for impact scales considerably.
Many organisations are working hard to get the security basics in place and recognise that they have an issue. However, getting businesses to invest in longer term IoT security is often a significant challenge.
Quantum computing, though it might be a decade or two away, presents a threat to IoT devices that have been secured against the current threat and which may remain in place for many years. To address this threat, governments are already spending billions, while organisations like NIST and ETSI are several years into programmes to identify and select post-quantum algorithms (PQAs) and industry and academia are innovating. And we are approaching some agreement on a suite of algorithms that are probably quantum safe; both the UK’s NCSC and the US’ NSA endorse the approach of enhanced Public Key cryptography using PQA along with much larger keys.
The NCSC recommends that the majority of users follow normal cyber security best practice and wait for the development of NIST standards-compliant quantum-safe cryptography (QSC) products. That potentially leaves the IoT with a problem. Most of these enhanced QSC standards appear to require considerable computing power to deal with complex algorithms and long keys – and many IoT sensors may not be capable of running them.
So until NIST delivers its QSC standards we won’t know whether they will work within IoT constraints. If they don’t, then there is a gap in the formal development of IoT QSC solutions.
This is a fast-moving area with a lot of innovation so it may make sense to look elsewhere for alternative viable solutions.
Asymmetric cryptography, for example, could be viable with low resource PQC algorithms. Symmetric cryptography is currently favoured by the IoT industry as a low-power mechanism, but the problem of secretly distributing the same keys to each party remains and quantum enhancements may push up power requirements. Then there are symmetric key establishment mechanisms where innovation may help, as there are alternative approaches being considered.
These include quantum key distribution (QKD) which uses the properties of quantum mechanics to establish a key agreement, rather than using difficult mathematical problems that quantum computers will solve quickly. However, QKD requires specialist hardware, and does not provide a way of easily enabling authentication, and the NCSC does not endorse QKD for any government or military applications.
Another option is secure key agreement (SKA). Some companies are experimenting with computationally safe ways of digitally creating symmetric keys across trusted endpoints. This type of low-power, software based capability offers an interesting alternative for the IoT. But although independent verification of this type of capability is happening, this approach is neither on NIST’s nor ETSI’s radar.
Most IoT applications are not facing an immediate quantum computing threat. However, the IoT estate is vulnerable to standard computing threats and there appears to be a lack of commitment to do much about this.
If we are to equip our increasingly connected IoT world for the quantum threat, then we need to take three actions. The first is to foster a security-conscious culture among users, and to embed IoT security as standard practice. The second is to urge manufacturers to adhere to established security standards, ensuring that devices are inherently secure by design. Finally research into low-resource quantum-safe solutions must intensify, and we should embrace the development of novel approaches.
Jonathan Lane is a cyber security expert at PA Consulting