Maksim Kabakou – Fotolia
With an estimated 43 billion Internet of Things (IoT) devices expected to be in use globally in 2023, their security is growing in importance across a wide range of sectors. As IoT devices generate and exchange data, we depend on that data to be accurate and reliable. In addition, because they are networked, their exploitation can open attack vectors in wider systems which could result in extensive and global impact.
In 2016 the largest ever botnet attack was launched on the service provider Dyn using the Mirai malware. This malware looked for IoT devices running the Linux ARC operating system, attacked them with default login information and infected them. This enabled huge numbers of IoT devices to be used together in distributed denial of service (DDoS) attacks resulting in significant parts of the internet going down.
Another example was the Medtronic Insulin Pump Vulnerability. In 2019 it was found that some Medtronic MiniMed insulin pumps had vulnerabilities in their Wi-Fi connectivity, making it possible for an unauthorised person to control the pump with potentially life-threatening consequences.
IoT devices tend to be on smaller platforms that have technical limitations on their space, weight and power. As a result, they have lower processing capacity and cannot run sophisticated authentication and cryptographic solutions. In addition, many of our current IoT devices are poorly architected and badly configured when installed meaning that security measures are often not operational. When you integrate these smart devices into a network that also has much older and simpler devices, the potential for impact scales considerably.
Many organisations are working hard to get the security basics in place and recognise that they have an issue. However, getting businesses to invest in longer term IoT security is often a significant challenge.
Quantum computing, though it might be a decade or two away, presents a threat to IoT devices that have been secured against the current threat and which may remain in place for many years. To address this threat, governments are already spending billions, while organisations like NIST and ETSI are several years into programmes to identify and select post-quantum algorithms (PQAs) and industry and academia are innovating. And we are approaching some agreement on a suite of algorithms that are probably quantum safe; both the UK’s NCSC and the US’ NSA endorse the approach of enhanced Public Key cryptography using PQA along with much larger keys.
The NCSC recommends that the majority of users follow normal cyber security best practice and wait for the development of NIST standards-compliant quantum-safe cryptography (QSC) products. That potentially leaves the IoT with a problem. Most of these enhanced QSC standards appear to require considerable computing power to deal with complex algorithms and long keys – and many IoT sensors may not be capable of running them.
So until NIST delivers its QSC standards we won’t know whether they will work within IoT constraints. If they don’t, then there is a gap in the formal development of IoT QSC solutions.
This is a fast-moving area with a lot of innovation so it may make sense to look elsewhere for alternative viable solutions.
Asymmetric cryptography, for example, could be viable with low resource PQC algorithms. Symmetric cryptography is currently favoured by the IoT industry as a low-power mechanism, but the problem of secretly distributing the same keys to each party remains and quantum enhancements may push up power requirements. Then there are symmetric key establishment mechanisms where innovation may help, as there are alternative approaches being considered.
These include quantum key distribution (QKD) which uses the properties of quantum mechanics to establish a key agreement, rather than using difficult mathematical problems that quantum computers will solve quickly. However, QKD requires specialist hardware, and does not provide a way of easily enabling authentication, and the NCSC does not endorse QKD for any government or military applications.
Another option is secure key agreement (SKA). Some companies are experimenting with computationally safe ways of digitally creating symmetric keys across trusted endpoints. This type of low-power, software based capability offers an interesting alternative for the IoT. But although independent verification of this type of capability is happening, this approach is neither on NIST’s nor ETSI’s radar.
Most IoT applications are not facing an immediate quantum computing threat. However, the IoT estate is vulnerable to standard computing threats and there appears to be a lack of commitment to do much about this.
If we are to equip our increasingly connected IoT world for the quantum threat, then we need to take three actions. The first is to foster a security-conscious culture among users, and to embed IoT security as standard practice. The second is to urge manufacturers to adhere to established security standards, ensuring that devices are inherently secure by design. Finally research into low-resource quantum-safe solutions must intensify, and we should embrace the development of novel approaches.
Jonathan Lane is a cyber security expert at PA Consulting
The OMB’s new policy calls for federal agencies to be transparent about AI use and designate chief AI officers to coordinate …
Use cases for the still-developing metaverse are growing as the technologies that enable this next iteration of the internet …
Cybersecurity and cloud top the list of 2024’s tech investment drivers, according to an Enterprise Strategy Group survey. But …
Threat actors used automated typosquatting attacks to lead victims to malicious python packages in yet another campaign targeting…
As a company’s cyber-risks evolve, so must its culture. Here are five tips for creating a cybersecurity culture that protects the…
To meet the challenges of managing cyber-risk, organizations need to have a cyber-risk management plan in place. Look at five …
Green networking is achievable if network managers ensure devices and supporting systems are energy-efficient and comply with …
The cloud’s effect on application management and licensing is expected to shift from end-user applications to SDN concepts. Say …
Black holes in the network disrupt connectivity and compromise data integrity. Network monitoring, team collaboration and routing…
Nvidia and its partners are providing the tools and infrastructure to build and deploy AI applications that companies say could …
Data center advancements are rapidly occurring with storage demand. Some advancements, like an increase in temperatures, are …
The lift-and-shift approach moves an app and its data from one environment to another. Understanding the pros and cons can help a…
The various types of database software come with advantages, limitations and optimal uses that prospective buyers should be aware…
Fragmented data protection laws, technology disruptions, AI adoption, data governance and consumer trust are among the complex …
Any organization that wants to drive decision-making with data or use generative AI won’t succeed without understanding how to …
All Rights Reserved, Copyright 2000 – 2024, TechTarget
Privacy Policy
Cookie Preferences
Do Not Sell or Share My Personal Information
About The Author
More Stories
Anatomy of a Scam
Climate and Environmental Sustainability Within the IETF and IRTF
From Commitments to Practice: Internet Society’s Priorities for WSIS+20 Implementation