Depending on which reports you read there were anywhere between 10 billion and an estimated 46 billion IoT devices worldwide in 2021. Households across the US and UK are cited as having around 10-50 of these connected devices each. In addition, a figure from a Nokia Threat Intelligence Report found that of all the devices that were infected by malware or subject to a cyberattack in 2020, a third were IoT devices – double the amount from the previous year.
The reason for both their ubiquity and their vulnerability to attack is because of the way they’re built. Their small size and basic components make them affordable, but it also means they lack the hardware capabilities needed to offer the robust encryption seen on larger, more expensive devices.
At the same time, the market is highly fragmented. Each manufacturer typically builds its own software that runs on a variety of real-time operating systems and security protocols; these are themselves stripped back and basic. Without a standard approach to security, users are forced to implement critical services, such as key generation, from scratch.
This combination of popularity and inadequate protection creates a vulnerability that makes IoT devices an obvious choice for hackers. The risks were recently laid bare when researchers discovered a security error that was leaving billions of IoT devices with worthless encryption keys.
Not only did this discovery remind us why the entire ecosystem is a major weak spot in the connected global economy but it explains why the sector is crying out for new approaches to security. In the case of encryption, we need an approach to generating strong cryptographic keys that can secure billions of devices against advanced threats, today and in the future. The kind of approach made possible by quantum technology.
IoT’s flaws laid bare
The recent IoT security error centered on the way in which devices generated their encryption keys. The majority of cybersecurity systems rely on the generation and management of cryptographic keys to encrypt and decrypt the data they’ve been designed to protect. The quality of these cryptographic keys directly determines the security strength of the system. Or, to put it another way, an encryption system is only as strong as the unpredictability of your cryptographic keys.
When it comes to IoT devices, the cryptographic keys are generated using cheap hardware components that are built into the device. Security researchers discovered that the keys being generated weren’t as unpredictable as they needed to be. In fact, in many cases, the keys were completely worthless, consisting of a string of zeros. A security nightmare, and a hacker’s dream.
The case for quantum
Within the field of key generation, there are three distinct approaches used today: software algorithms, classical hardware and quantum processes.
The software algorithm approach takes unpredictable data and expands it into cryptographic keys. Because the algorithms are deterministic, the quality of the keys they generate is entirely dependent on the quality (and privacy) of their starting state. As a result, they are typically paired with one of the other two approaches or used only for non-cryptographic use cases.
The classical hardware approach involves measuring physical phenomena in the world around us to create cryptographic keys. The hope is to find unpredictable data that can generate strong keys – however this is impossible to do robustly. The classical world that we experience evolves in complex, yet ultimately predictable ways, so we are always relying on ignorance as a defence. Not only this, but we cannot verify the quality of keys generated by this approach, so we cannot detect when the systems are generating predictable output.
By contrast, quantum processes rely on quantum behavior to generate strong cryptographic keys. They harness the true unpredictability of quantum mechanics to produce encryption keys that are near-perfectly unpredictable and protected from adversaries, even those with full knowledge of the system and unlimited computing power.
Not all quantum approaches are equal
The quantum approach to key generation sounds fantastic, but until recently it has not lived up to the hype. When it comes to previous commercial attempts at using quantum to generate cryptographic keys, it has proven impossible to isolate the benefits that quantum provides from the electrical noise and other non-quantum effects happening in the environment. As a result, the keys generated using these flawed approaches are weaker than they should be.
Because the non-quantum effects cannot be excluded, these approaches are vulnerable to manufacturing defects and malicious or accidental damage. There is no way to determine whether the resulting keys are unpredictable or not. Users have to place their blind faith in the perfect construction and operation of these devices. Because of these issues, organisations such as the NCSC have advised against their use, and scientific papers have shown these problems to be real, not just theoretical.
Fortunately, a new approach has been developed to solve these issues. Inspired by so-called “device independent” protocols, this approach involves generating keys using quantum sources that are intrinsically self-testing. Such systems can tap into the true unpredictability of quantum processes, and can generate keys that are provably very strong, and near-perfectly unpredictable.
The key to this new approach is the validation or “health check” that proves the process is working properly. By verifying the quantum source of randomness, it’s possible to have high confidence that the resulting cryptographic keys are essentially indistinguishable from perfect. This approach is far superior to testing the keys themselves using statistical analysis, which cannot reliably measure whether keys are strong or weak.
Securing IoT with quantum
This new technique for generating strong keys from quantum sources is a perfect solution for IoT. Rather than trusting low-powered and low-capability devices with the crucial task of generating their own cryptographic keys, it’s possible to inject strong keys at the point of manufacturing.
In fact, a self-testing quantum approach is a viable solution for any and all devices, applications and networks that rely on encryption keys. Cambridge Quantum has recently launched a key generation platform built using this approach, called Quantum Origin, and it has already been used by companies like Fujitsu to generate strong keys for network security systems. The Quantum Origin platform uses a quantum computer to generate cryptographic keys that are near-perfectly unpredictable to any attacker.
As the number of IoT devices continues to soar – with estimates suggesting it will reach 75.4 billion devices by 2025 – and with the continued fragmentation of such devices, quantum technology holds the key to keeping these devices, and their users safe. Today, and for decades to come.
Duncan Jones leads the quantum cybersecurity division at Cambridge Quantum, and a member of the Quantum Security initiative, part of the World Economic Forum – Quantum Computing Network, a community of experts from business, academia, governments and non-profit organizations at the forefront of promoting secure adoption of quantum technologies. He previously held various research and product roles at Arm, Thales, Worldpay and Cryptomathic. He graduation from the University of Cambridge with a degree in computer science.
- Quantum-enhanced keys on demand add security against cyberattacks
- CQ makes TKET quantum software development kit open-source
- ChipDNA PUF security co-processor provides 30x lower power
- A comparison of SRAM vs quantum-derived semiconductor PUFs
- Cryo-CMOS IP enables qubit control chips at cryogenic temperatures