How do we secure IoT devices and the ecosystem that supports them? Could quantum-driven cyber-security deliver a scalable and cost-effective solution?

While rapid growth in the deployment of IoT devices continues it is being hampered by the rising number of small- and large-scale cyber-attacks that are taking place.

In the UK while over 95% of Britons have some kind of IoT device in their household, according to research conducted by NordVPN, 20 per cent have not taken any measures to protect those devices.

“As the research shows, the more devices people own, the more vulnerable they usually are. Manufacturers surely have to take more responsibility for the safety of their products,” said Daniel Markusen, a digital privacy expert at NordVPN.

According to Gartner around 80 per cent of IoT projects fail before they are launched, often because of issues around scalability and security.

IoT devices are designed to collect and send information and while this can be done securely by using encryption, there are many examples of poor levels of encryption or of none at all leading to devices being hacked and compromised.

The number of consumer devices being hacked has jumped because it appears that many manufacturers are rushing unsecured products to market with very basic functions, in an attempt to shorten development times and cut costs.

“While this is great for device makers, it’s horrible news for consumers. When things are rushed, they leave huge gaps in terms of security,” warns Markuson.

IoT devices are pervasive and it seems that almost anything we buy can now be connected to the Internet, whether that’s light bulbs, washing machines, speakers or doorbells.

But despite this infinite variety there are some commonalities.

Poor design can lead to weaknesses and the creation of attack points that can be used to expose the networks on which devices reside. An IoT device that fails to secure the wireless network's security credentials, for example, can end up exposing the entire network. Anything connected to it can provide an entry point for hackers.

Devices should only be accessible to the owner and, perhaps, to people that they trust. However, when using these devices users have to extend that trust to a local network where no further authentication or authorisation may be required.

Many devices of the same model will come with the same password, along with the same firmware and default settings, while the growing take up of IoT devices helps to extend the surface, or attack, area as each additional connection provides a new set of opportunities for an attacker to discover and then exploit.

The Internet of Things had been forecast to hit over 40bn devices, or "things” by 2025, but new estimates now suggest that figure is likely to be lower at anything between 21-30bn units, but that’s still a massive attack area for would-be hackers.

Another area of vulnerability is software. Over time new updates will be required so devices need to come with an update function so that vulnerabilities, that become apparent as devices are used, can be patched – but that in turn will create additional vulnerabilities.

In addition, many IoT devices run low-quality software which can leave them susceptible to hackers, while manufacturers often end software support before users look to replace their devices.

IoT devices need to be able to share information so encryption is needed to avoid any loss of data and to keep devices secure, but even then weaknesses may exist. If the encryption is not complete, for example, or hasn’t been configured correctly then a device may fail to verify the authenticity of the other party leaving itself at risk of attack.

Typically small and low-power, IoT devices are often described as being general-purpose computers that run software in order to fulfil a specific purpose, as a result, that tends to make it easier for attackers to install their own software adding new forms of functionality that are not part of the normal functioning of the device.

Manufacturers also need to be able to monitor vulnerabilities and update devices in the field and there are growing calls for them to develop a security posture that looks to actively handle security issues, whether that is providing contact information or instructions as to what should be done if a consumer believes a product has been compromised. Without these, manufacturers are simply creating a less secure environment.

So what happens when a device is compromised? Usually they will keep functioning normally and users rarely notice any increase in bandwidth or power usage to alert them. In fact most IoT devices do not have logging or alerting functionality when it comes to security problems or, if they do, they are easily hacked.

The secure deployment of devices and a successful IoT product also requires a clear understanding of the broader ecosystem – i.e. not just the product but the entire system, from the sensor, for example, to a hub or app and then on to the backend server via the cloud.

It’s this complexity which has meant that the IoT has proved difficult to secure and while there are many connectivity options and connected devices for consumers, there are far fewer standards or regulations.

End-to-end IoT security

There are a growing number of companies developing security for the IoT but one, London-based Crypto Quantique, has developed a new end-to-end IoT security platform at the heart of which is the world’s first quantum-driven semiconductor hardware IP, called QDID. It is able to generate multiple, unique, and un-forgeable cryptographic keys for devices that are manufactured using standard CMOS processes.

The keys do not need to be stored and can be used independently by multiple applications on demand when combined with cryptographic APIs from the company’s universal IoT security platform, QuarkLink.

“When it comes to the IoT the scale of deployments has increased exponentially and, as a consequence, an enormous and complex ecosystem has sprung up and there’s no one really taking responsibility for it,” says CEO, Dr Shahram Mossayebi, an expert in cryptosystems,

“More devices are being hacked and there is no end-to-end security in place. Companies are more concerned about the costs associated with securing their devices and the wider network, but that could change as more IoT security regulations emerge.”

Mossayebi makes the telling point that the complexity associated with existing security solutions means that developers have had little choice but to choose between manufacturing at scale, or developing more secure devices but slowing done their development.

“That’s especially true of the consumer space. There’s an attitude that even if products are not secure they can be patched up later. Security has been difficult to scale and companies have found it hard to bridge the IoT scaling gap cost effectively,” he adds.

According to Mossayebi, economical and effective security can only be achieved through security-by-design and should not be an afterthought.

“IoT security done correctly will reduce overall costs, rather than adding to them,” he argues.

In order to secure the IoT the identities of the senders and recipients of data have to be established beyond doubt. Each microcontroller, ASIC or SoC must have a unique, immutable and un-forgeable identity and messages should only be sent in such a way that the intended recipients can interpret them.

“This requires effective cryptography,” explains Mossayebi.

Crypto Quantique has developed an IoT security solution that combines cryptography with quantum physics to deliver an end-to-end security solution.

“Our approach has been to simplify the generation of hardware root-of-trust (RoT) for an IoT device and in doing so square the current trade-off between security and scalability.”

The most common way to create a RoT is to use a random number generator then use key injection to place identities and keys into devices. This approach is both costly and means having to store the keys which can make them vulnerable.

Each semiconductor chip is unique due to tiny differences in the silicon die that are caused during the manufacturing process. It’s those differences

that are used to create physical unclonable functions, or PUFs, which can be used to develop much stronger levels of security and provide a secure connection.

Crypto Quantum has taken this further by using a concept known as quantum tunnelling to better secure devices.

“The best way to secure a device is to use the fabric of the device itself, much like our DNA it is unique. Rather than injecting identities and keys which is common practice.

“Our approach exploits randomness in the thickness of the oxide layer on a silicon wafer – this is quantum tunnelling - whereby electrons propagate through the barriers of the fabric of the wafers. That will vary with the thickness and atomic structure of the oxide layer,” explains Mossayebi and it’s that randomness that underpins the company’s ability to deliver higher levels of security.

According to Mossayebi, ”By exploiting the femto-currents caused by random quantum tunnelling we are able to generate random numbers, or seeds. These seeds are then used to produce, unique, uncorrelated and unclonable identities and cryptographic keys on demand. Because these identities and keys are produced within the device itself and do not need to be stored in memory or injected from external sources, they are inherently more secure than those produced by alternative technologies.” This PUF technology is also more economical to use requiring only minimal silicon area to generate multiple keys and eliminates the need for expensive on-chip peripherals such as secure memory.

“Because keys no longer need to be injected or stored it is now possible to significantly reduce system costs while increasing security, especially against side attacks. Using QuarkLink, our IoT security platform, in combination with QDID it is possible to deliver the very highest standards of security but to do so quickly and efficiently.

“Not only that we can manage the whole key lifecycle, manage firmware integrity and if a device is compromised revoke its keys,” adds Mossayebi.

Only recently, Crypto Quantique, received confirmation from independent security experts, Riscure, that its QDID quantum-driven semiconductor IP was PSA Certified Level 2 Ready.

A global, collaborative security program it looks to define a framework for connected device security and its aim is to prevent security becoming a barrier to product development.

For Mossayebi the certification was further proof that the company’s quantum-driven, second-generation PUF technology is well placed to provide levels of security for microcontrollers, application-specific semiconductors, and the IoT devices in which they are used.

Managing IoT device security may have just got a lot simpler.