How quantum security generates randomness to shield IoT systems

Quantum computing has been seeing significant growth around the world. More use cases are being developed in various industries that leverage quantum technology. Now, the cybersecurity industry is also being reenvisioned with quantum security.

Currently, one of the most used methods in authentication methods is random number generating (RNG) devices. Over the years, more organizations’ security measures have proliferated from the use of random number generating tools. However, a recent vulnerability has been disclosed for RNG used in IoT devices. The Hacker News reported that the vulnerability was disclosed by Bishop Fox Researchers Dan Petro and Allan Cecil. In a recent analysis, the vulnerability was found to be affecting 35 billion devices worldwide.

“Basically, every IoT device with a hardware RNG contains a serious vulnerability whereby it fails to properly generate random numbers, which undermines security for any upstream use. In order to perform most security-relevant operations, computers need to generate secrets via an RNG. These secrets then form the basis of cryptography, access controls, authentication, and more,” explained Petro and Cecil in their detailed disclosure post which you can read here.

Now, with so many devices now exposed, this is a huge problem, but it is one that could potentially be solved by using quantum cybersecurity to protect IoT technologies. According to Duncan Jones, the Head of Cybersecurity at Cambridge Quantum, cryptographic organizations avoid the use of RNG devices. For them, cryptographic keys are only secure if they are truly random.

Unfortunately in the classical world, Jones pointed out that there is no way to generate true randomness. Classical systems — whether they are software algorithms or chaotic physical phenomena — are ultimately deterministic. They can predict exactly what will happen if they have enough processing power.

“Quantum technology allows us, for the first time ever, to generate provably perfect randomness, which is completely unpredictable to both present-day attackers as well as quantum-powered attackers in the future. This is a game-changing innovation, which will revolutionize the cybersecurity field,” explained Jones.

(Photo by BILL PUGLIANO / GETTY IMAGES NORTH AMERICA / Getty Images via AFP)’

Jones added that non-quantum methods of ‘randomness generation’ are not secure. They typically rely on software functions, or “random-looking” physical processes to generate streams of zeroes and ones. Unfortunately, those streams are biased (i.e. not uniformly random) and can be easily simulated on a quantum computer. “The answer to this challenge is verifiably quantum entropy, which is a unique solution from Cambridge Quantum. We generate the only provably perfect randomness in the world, using quantum computers.”

 Making the most of quantum tech for IoT security

With more IoT devices being deployed in various sectors, securing them has to be a priority. The RNG vulnerability will eventually lead to more concerns within industries, especially those dealing with sensitive IoT data. Jones explained that with IoT infrastructure placed in hard-to-reach places, maintaining them is not an easy task.

This is where he believes there is a need for the cryptographic core of these devices to be quantum-proofed as early as possible. Without this change, Jones believes quantum-powered attackers could remotely control IoT devices, once quantum computers become powerful enough. The only way to avoid this is to embed quantum-safe cryptography into the heart of IoT devices.

“Once a powerful quantum computer exists that can break cryptographic algorithm, non-quantum safe devices will be vulnerable to significant attacks. These attacks work in both directions,” said Jones. “The attacker can impersonate the IoT device, which can cause havoc when false data is relayed to the cloud. Equally, the attacker can impersonate the device owner, causing the device to install malicious firmware or otherwise share sensitive data.”

Jones also highlighted the common misconception that quantum technology must be more expensive than existing solutions. Speaking only on behalf of Cambridge Quantum, Jones said they offer very competitive rates for their key generation capabilities, thanks to their wide partner base of quantum hardware providers.

The bigger concern of course is cybercriminals. Once quantum security enters the mainstream, there is still the possibility that quantum computers in the future will enable cybercriminals to attack systems that have not upgraded to quantum-safe technology. As Jones puts it, it is simply in the nature of cyberattackers “to use every available tool to conduct their crimes.”