With smart devices everywhere in our homes and offices, the attack surface has never been so massive.
While smart devices are commonly used nowadays to make various aspects of our daily lives easier, not everyone is aware that it takes a single unprotected device for a hacker to compromise the whole home network. As the world gets more connected, threat actors find clever ways to take advantage of new technologies and exploit overlooked vulnerabilities. With quantum technology on the way, it is now more important than ever to be prepared and keep an eye out for new risks.
To talk about the threats that IoT devices face, Cybernews invited Dr. Shahram Mossayebi, the Co-Founder and CEO of Crypto Quantique – a company using quantum-driven solutions to secure the ever-growing environment of connected devices.
How did Crypto Quantique evolve since its launch in 2016?
Since its launch in 2016, Crypto Quantique focused on IoT device security. The company has grown to employ over 35 people, including experts in silicon chip design and cryptography for security. Its quantum-driven secure silicon chip design invented by Dr. Shahram Mossayebi and Dr. Patrick Camilleri, the founders of the company, has proven to be secure against all known IoT attacks in independent assessments.
In addition, Crypto Quantique's universal IoT security software platform is now part of the ecosystem of several of the world’s semiconductor industry leaders, including EPS Global, Macronix, Renesas, Silex Insight, and STMicroelectronics. The company won numerous industry awards last year and in November, the Institute of Engineering and Technology (IET) recognized Crypto Quantique's technology by announcing it as the winner of the E&T Innovation Awards in the cybersecurity category.
Can you introduce us to what you do? What are the main issues you help solve?
Crypto Quantique’s Q:Architecture® is a combination of a silicon chip design block (IP), called QDID, and a software security platform, called QuarkLink. It’s a scalable architecture for quickly and securely connecting IoT devices to the cloud.
Q:Architecture has two complementary elements:
- QDID is a silicon chip design that generates random, unique, unforgeable identities – like fingerprints, and cryptographic keys on-demand in the chips. These are critical to IoT security. Keys do not need to be stored and can be reconstructed on-demand. This eliminates the need for key injection and its associated cost, complexity, and security compromise. (Key injection is the alternative process for creating a Root-of-Trust in IoT devices).
- QuarkLink is a universal IoT security platform for connecting devices to in-house or cloud servers. Originally designed to work with QDID, it is also available as a standalone product to be used with other Roots-of-Trust. Its unique feature is its breadth of capability in one tool. It provides secure provisioning, including cryptographic keys and firmware, automated secure onboarding to any platform (e.g., AWS, Azure, or Mosquito) security monitoring, and lifetime management of the IoT device network.
The limiting factor in IoT growth has been a compromise between security and scalability, remembering that anything connected to a network can be an entry point for hackers to take control of everything on that network.
Q:Architecture enables companies to achieve IoT device and network security quickly and reliably at scale, without specialist knowledge of the complex cryptography that underpins it.
You state that the new era of IoT security is quantum-driven. Would you like to share more about this vision?
IoT device attacks are now happening every day and soon, quantum computers will enable malicious actors to increase the effectiveness of these attacks with much more powerful computers at their disposal. However, by implementing security that also exploits quantum effects, security can be dramatically improved today and provide greater protection in the quantum computing era.
QDID exploits randomness in the thickness of an oxide layer on silicon chip wafers resulting from manufacturing variability. The extent of quantum tunneling – where electrons propagate through barriers – varies with the thickness and atomic structure of the oxide layer. QDID measures these quantum effects to generate multiple, uncorrelated cryptographic keys, which are random numbers, inside the silicon chips made from the wafers. The keys can be used as the basis for unique device identities, and for cryptography and authentication in IoT device networks using the QuarkLink platform.
How did the pandemic affect the IoT scene? Have you noticed any new security issues arise as a result?
We have not noticed any new IoT security issues because of the pandemic, but we have seen a renewed focus on IoT security as organizations have become more decentralized, and more reliant on device connectivity and cloud services.
There is a growing awareness of the importance of security-by-design. In other words, a realization that security cannot be a bolt-on afterthought. It can’t be achieved through software alone, which has been the traditional approach to enterprise software. The billions of IoT devices at the edge of networks provide a massive attack surface for hackers. As a result, the foundation of IoT network security must be hardware security built into these devices.
Could you share some tips for organizations looking to secure their IoT devices?
Organizations must educate themselves about IoT security. Too many are burying their heads in the sand, assuming someone else along the supply chain will fix the problem.
They need to keep up to date with legislation so that they understand their responsibilities. There are now severe penalties for those that breach IoT regulations. The European Union’s Cybersecurity Act was adopted on 21st March 2019 and California implemented a bill on 1st January 2020 to protect the privacy of personal information shared across connected devices. In February 2020, the Korea Internet and Security Agency also published guidelines for how IoT ecosystems need to meet the requirements of the country's Personal Information Protection Act (PIPA). These are just a few examples of a rapidly evolving legislative framework for IoT security.
Like legislation, industry standards are an essential tool for building trust in the IoT. ETSI, the European standards body, released its IoT security standard in June 2020, detailing 13 provisions for device security and five for data protection. America’s National Institute of Standards and Technology (NIST) is working on IoT cybersecurity, focusing on the privacy needs of federal information systems. And the industry collaborative body, PSA Certified, sets out ten security goals to guide IoT device design.
With a good grasp of legislation and standards, it’s easier for organizations to evaluate the available technologies for improving IoT security. IoT security is complicated and fragmented, with many players in the supply chain. However, the latest tools, such as QuarkLink, can help organizations take back ownership of their IoT network security through automation, and eliminate reliance on risky and expensive third parties.
What are the main threats associated with quantum technology?
It is claimed that Google’s quantum computer, which is only in its laboratory phase - is up to 158 million times faster than today’s fastest supercomputers. Put into context, this means that calculations which today would take 10,000 years on IBM’s Summit, to do could be done in a few minutes on a quantum computer.
The implications for all computing security, including IoT devices are immense. At the simplest level, think of how much faster it will become to try out hundreds of millions of passwords to hack into a device. Cracking device identities and the cryptography used across networks could become much, much easier with a quantum computer at your disposal.
NIST has been working to develop a post-quantum cryptography standardization process to address the threat since 2016. Last year it announced the third-round finalists of a contest to find the most effective post-quantum primitive – a low-level algorithm that will be used as the foundation for cryptographic protocols that can be used to develop quantum-secure networks.
It's a continuous race to stay one step ahead of the criminals.
What cyber threats do you think will become a prominent problem in the upcoming future?
Ransomware IoT attacks are rapidly becoming one of the main dangers. Hackers lock down computer systems and demand payment to unlock them. Organizations are often left with no option but to pay the ransom, the cost of not doing so being prohibitively high.
It’s not only a financial issue. Where attacks are carried out on medical devices, or medical institutions, lives may be at stake. Vulnerabilities have even been identified in pacemakers and other implantable devices and hospitals have been held to ransom through IoT attacks.
Autonomous machines, everything from drones and robots to self-driving cars and trucks, are mobile collections of connected sensors and actuators, so also face the same threats as any other IoT network. IoT devices are often the weakest point in the system because of the large attack surface they present. The potential to disrupt these emerging technologies is growing by the day and the consequences can be extremely serious.
Last year, there were an average of 5,200 attacks per month on IoT devices, according to the PSA Certified organization. Others report that such attacks doubled in the first half of 2021 compared to the previous six months. Cyberthreats on the IoT are a present and growing threat.
In your opinion, what cybersecurity measures are essential for everyone nowadays?
I would recommend everyone to read and act upon the PSA Certified ‘Expert IoT Security Framework and Certification’ document. It’s a comprehensive set of recommendations that goes into much more detail than we can do here.
However, getting down to the basics, every IoT device on a network should have a unique, immutable, and unforgeable identity and each one must be identified through the network management platform. Ideally, identities and cryptographic keys should be generated in the hardware of IoT devices, on-demand, rather than being stored in memory, where they are vulnerable to attack. The IoT network infrastructure should be segmented so that any segment under attack can be quickly isolated from others on the network, and the network should be developed on ‘zero-trust’ principles. This is based on the belief that trust itself is a vulnerability. It, therefore, relies on strong device and user authentication, minimizing the involvement of third parties in the supply chain, and organizations taking as much control of their networks as possible.
Would you like to share what’s next for Crypto Quantique?
Soon, we will see Crypto Quantique’s chip technology, QDID, become readily available in devices made by the world’s leading microcontroller manufacturers. These microcontrollers are found at the heart of most IoT devices.
Our goal is for it to be seen as the gold standard for IoT device security, both now and in the post-quantum era.
Our IoT security platform, QuarkLink, is democratizing IoT security, making it possible for OEMs, telecom operators, and other organizations to implement highly secure IoT networks at scale. Our customers can take advantage of the most advanced cryptographic techniques for IoT security, without having to understand the complexities under the hood. After all, how many of us would be driving cars if we needed to be able to build them to do so?
We are expanding globally and will soon open offices in the USA and Japan and our scientists and engineers will continue to ensure that our customers stay one step ahead of the malicious actors that have limited the growth of the IoT in recent times.