Can your cell phone, toy drone, or robot vacuum suddenly turn into a lethal weapon?
Cybersecurity experts around the world have hailed Israel's pager exploit last month targeting nearly 3000 Hezbollah operatives via their electronic pagers, as a brilliant counterintelligence move. But the incident is also a grim reminder that a world built on connectivity can pose multiple threats as well as blessings—not only to our privacy but also to our safety. It's time to make a sober assessment of what the options are for safeguarding the coming Internet of Things.
In the final analysis, the IoT revolution will benefit from another taking place at the same time: that of quantum technology.
The Internet of Things (IoT) is that vast universe of interconnected “smart” devices that includes refrigerators and air conditioners as well as industrial sensors that monitor the power grid. It includes the GPS software in our automobiles as well as traffic surveillance cameras and commercial drones. The global IoT market, which has been growing at 26.9% for several years now, shows no signs of slowing-according to Market Data Forecast, it's projected to reach $875 billion by 2025. One highly credible estimate is that there will be over 29 billion IoT devices worldwide by 2030.
Overall, this brave new world of connectivity brings new risks we've only begun to understand-let alone taken serious steps to address.
For example, in America there's a growing alarm over China's dominant role in manufacturing the devices that make up the IoT. China Telecom, the parent company of China Telecom Americas, estimated in 2020 within five years 95% of these products would be manufactured in China. What kind of software or malware may be secretly installed in those devices; and what kind of hidden connectivity they may have to their Chinese manufacturer or even the Chinese government or intelligence agencies; remains largely unexplored territory by governments and cybersecurity companies alike.
Placing limits on what IoT products come from China, as former US Congressman Mike Gallagher has argued in the Wall Street Journal along with many others, seems a sensible step.
But it's only a step. The truth is, no national cyber strategy can be complete unless it addresses the overall threat-and looks at the new technologies that can mitigate that threat.
Businesses have learned to use interconnected devices to track goods moving from inventory to customers. Factories use them for monitoring production, and farmers to automate irrigation and check on livestock. They've become a daily part of our lives, from “smart” heating and air-conditioning and Pelaton workout gear to robot vacuum cleaners-not to mention commercially made drones.
Since the majority of the 390,000 recreational drones used in the US are made by a Chinese commercial company, DJI, Congress decided to pass a ban on DJI drones in June. Concerns about Chinese-made IoT devices include Chinese surveillance cameras operating in US shipyards, and lithium-ion batteries for EV's manufactured in China.
A US Congresswoman from West Virginia, Carol Miller (R-WV), has introduced a bill to ban Chinese components for EV's.
The concern isn't just here in the US A joint study by the China Strategic Risks Institute (CSRI) and the Coalition on Secure Technology in Britain, issued a dire warning regarding Chinese components in EV's. It stated that “suppliers suspected of having ties to China’s military-industrial complex pose a key risk due to the potential for built-in wireless components to be ‘weaponised’, including causing gridlock in British streets.”
Until recently the concern about Chinese-made IoT components, like those in DJI drones, has centered on whether these devices could be used for snooping and gathering information and data.
Now we have to ask, whether devices like iPhones that rely on components made in China by America's most formidable foe, could be put to a more lethal-even explosive-purpose.
The Hezbollah pager story suggests we need to take this scenario seriously.
For that reason, there are three priorities governments as well as the private sector, to deal regarding security risks posed by IoT.
The first is the most obvious: be aware of where a device is made, and where its key components came from-and not only in China. This is another reason why reshoring American electronic manufacturing, or at least “strategic reshoring,” ie buying from trusted allies like South Korea or Japan, is not just a good idea economically, but a national security necessity.
Even more important, however, is developing an IoT cybersecurity strategy that incorporates the most advanced technologies, including quantum technology.
Let's be forthright: the vast majority of today's IoT devices come with no built-in security. To correct this, an IoT cybersecurity strategy will center first on defending the networks on which those devices depend.
Those measures will have to protect against data breaches; side-channel attacks, ie when an attacker is able to gather information by observing the effects of a program's execution on its hardware or other systems; or simple failures to update whatever encryption is necessary to keep those networks secure and private. But given the explosive growth of the IoT market; it's unlikely that even a sophisticated network-based cybersecurity plan is going to keep track of every threat to every device scattered across the country, or even across the globe. Even moving the network to the Cloud won't defeat an adversary determined to use our smart phones or automobile GPS to create havoc, or worse.
Another approach is looking to the Distributed Ledger Technology (DLT) encryption cryptocurrencies use to insulate individual users from any attack on the network as a whole. The problem is that the size of DLT encryption used by a cryptocurrency approach of hundreds of GBs. Most IoT nodes simply don't have the storage needed to support DLT-based cybersecurity-just as conventional IT security packages can't be expected to be aware of threats to individual devices until it's too late.
The truth is, the biggest IT security companies like Crowdstrike and Palo Alto Networks have been far behind the curve of the IoT revolution. Above all, they've been slowly turning to the next generation of cybersecurity, offered by the advent of quantum technology.
For example, one solution is adopting the kind of post-quantum cryptography exemplified by the algorithms just approved by the National Institute of Standards and Technology (NIST). These complex algorithms are designed to defeat future quantum computer hackers; but they can be just as effective at defeating present-day hackers and network intruders.
Another, potentially less cumbersome, method is using quantum-based cryptography to create unhackable communication links between devices and their operators. This has the advantage of relying on a physical component, ie a quantum random number generator, small enough to fit into any electronic device, through which the network can send a constantly changing quantum key for encrypted communication. (Samsung, for example, installed such a QRNG device in its 5G smart phones starting in 2021).
Companies like Canada's Quantum eMotion are showing it's possible to use these random-generating components to send/receive messages that are 100% unhackable and secure-while using generators that are small enough to fit into the average IoT device. Using its electron tunneling technology, Ouantum eMotion is specifically targeting the IoT as well as 56 communications market.
Meanwhile, other commercial companies are looking to stake a claim in a QRNG market that (according to a IQT research report), will grow to $14 billion by 2030.
Quantum cryptography is also the approach China is taking to protect its data and networks-a significant warning to everyone else, including the US government.
Still, there is no single solution to dealing with the future security risks associated with IoT. Instead, government and industry will require a multi-layered approach, from conventional cybersecurity to DLT and quantum cryptography, in order to avoid having the IoT universe become a cyber threat that-like the Hezbollah pagers-blows up in our faces.
What if our cell phones, toy drones, and robot vacuum cleaners suddenly turn into lethal weapons? Last month, Israel bombed the pagers (aka pagers) of about 3,000 Hezbollah members, which cybersecurity experts around the world called an ingenious
counterintelligence operation. However, the incident is a chilling warning that while the world can be interconnected, it can also pose a number of threats to privacy, safety, and everything in between. It’s time to take a hard look at how we can protect the expanding Internet of Things.
Ultimately, the IoT revolution will benefit from another revolution happening next door: the quantum revolution.
The IoT is a vast world of interconnected “smart” devices, including refrigerators, air conditioners, and industrial sensors that monitor the power grid. It also includes GPS software for cars, traffic surveillance cameras, and commercial drones. The global IoT market has grown by 26.9% annually in recent years, and shows no signs of slowing down. Market research firm Market Data Forecast projects that the market will grow to $875 billion by 2025. Reliable estimates suggest that by 2030, there will be more than 29 billion IoT devices worldwide. In
broad terms, this brave new world of connectivity presents new risks, but we are only just beginning to recognize them, let alone take serious action to address them.
The United States, for example, is increasingly alarmed by the fact that the devices that make up the IoT are being manufactured primarily in China. In 2020, China Telecom, the parent company of China Telecom Americas, estimated that within five years, 95 percent of these devices will be manufactured in China. Neither governments nor the cybersecurity community yet fully understand what software or malware could be installed on these devices, or how they could be covertly connected to Chinese manufacturers, the Chinese government, or intelligence agencies.
As former U.S. Rep. Mike Gallagher argued in the Wall Street Journal, among others, sanctions on Chinese IoT products seem reasonable.
But sanctions are only one measure. In fact, a thorough national cyber strategy requires addressing threats in a multidimensional manner while also examining new technologies that can mitigate them.
Companies are learning to use interconnected devices to track their products as they move from warehouses to customers. Factories use them to monitor their production processes, and farmers use them to automate irrigation and monitor livestock. These connected devices are already deeply embedded in our daily lives, from commercial drones to “smart” heating and air conditioning systems, exercise equipment, and robotic vacuum cleaners.
Most of the 390,000 recreational drones used in the United States are manufactured by the Chinese private company DJI. In June, the U.S. Congress passed a bill banning DJI drones. Other Chinese IoT devices that the U.S. is concerned about include Chinese surveillance cameras used in U.S. shipyards and lithium-ion batteries for electric vehicles manufactured in China. U.S. Rep. Carol Miller (R-W.Va.) has introduced a bill to ban Chinese electric vehicle parts.
The U.S. is not alone in its concerns. A joint study by the China Strategic Risk Research Institute (CSRI) and the UK-based Coalition on Secure Technology warns that Chinese-made electric vehicle components could be highly risky. “This is particularly dangerous for suppliers with suspected links to China’s military-industrial complex, as embedded wireless components could be ‘weaponised’, potentially causing gridlock on UK roads,” they say.
Until recently, concerns about Chinese-made IoT components, such as DJI drones, were primarily about whether such devices could be used for spying and gathering information and data.
Now, we must be concerned about the potential for devices like the iPhone, which use components made in China, America’s archenemy, to be used for greater destruction and detonation.
The Hezbollah pager explosion should be a wake-up call for us to seriously consider this possibility. For
this reason, both government and the private sector must focus on three key areas related to security risks associated with the IoT.
First, and obviously, we must know where our devices and their key components are manufactured, even if it is not in China. Therefore, it is essential for the U.S. to bring back electronics manufacturing that has moved overseas, or to purchase electronics from trusted allies like Korea and Japan through “strategic reshoring,” both economically and from a national security perspective.
But even more important is to reflect cutting-edge technologies, including quantum technology, when developing an IoT cybersecurity strategy.
Frankly, most IoT devices today do not have security features built in. To fix this problem, any IoT cybersecurity strategy must first consider how to defend the networks on which such devices are deployed.
This should prevent data breaches, side-channel attacks (where information is gathered by observing how hardware or other systems are affected when programs are executed), and even simple failures to update encryption needed to secure the network and protect personal information. But with the explosive growth of the IoT market, even the most sophisticated network-based cybersecurity plan will struggle to track all threats from all devices spread across the country or the world. Even if you move your networks to the cloud, you won’t be able to stop adversaries who plan to use your smartphone or car’s GPS to wreak havoc—or worse.
Another option worth considering is the distributed ledger technology (DLT) encryption used by cryptocurrencies to protect individual users from attacks on the entire network. The problem is that the DLT encryption used in cryptocurrencies is hundreds of gigabytes in size. Few IoT nodes have the capacity required for DLT-based cybersecurity. Just as traditional IT security programs cannot be expected to recognize threats to individual devices in a timely manner,
the world’s largest IT security companies, including CrowdStrike and Palo Alto Networks, are far behind in the IoT revolution. More importantly, they have yet to fully transition to the next generation of cybersecurity technologies that have emerged with quantum technology.
One solution, for example, is to adopt quantum-resistant cryptography, such as the algorithm recently approved by the National Institute of Standards and Technology (NIST). The goal of such complex algorithms is to thwart future quantum computer hackers, but they can also effectively defend against existing hackers and network intruders.
Another, perhaps simpler, solution is to use quantum-based cryptography to create an unhackable communication link between devices and operators. The beauty of this approach is that it allows for encrypted communications, since the network uses a small hardware component called a quantum random number generator
(QRNG) to send a constantly changing quantum key through the electronic device (Samsung, for example, has been integrating a quantum random number generator (QRNG) chip into its 5G smartphones since 2021). Companies like Canada-based Quantum eMotion are showing that they can send and receive messages in a way that’s 100% unhackable and secure, using a random number generator small enough to fit into a typical IoT device. Quantum eMotion is targeting the IoT, 5G, and 6G telecommunications markets using its own electronic tunneling technology.
Meanwhile, private companies are also trying to crack the QRNG market, which is expected to grow to $14 billion by 2030, according to research by IQT.
China is also using quantum cryptography to protect its data and networks—something that should make the U.S. government and others wary.
But no single approach will solve all the future security risks surrounding the IoT. To prevent the Internet of Things from becoming a cyber threat that explodes before our eyes like a Hezbollah pager attack, governments and industry need to approach the problem from all angles, using everything from traditional cybersecurity technologies to distributed ledger technology and quantum cryptography.
Read in Korea Business Herald.
Enjoyed this article? Subscribe to Hudson’s newsletters to stay up to date with our latest content.