Many experts are predicting that Y2Q, which marks the day when a commercially viable quantum computer will be capable of cracking today’s encryption, is much closer than previously thought. As Y2Q approaches, developers face the challenge of deploying quantum-secure digital signatures that can be used in boot loaders and other critical operations.
When a connected device is turned on, whether it is a phone, an automobile, or a smart doorbell, a boot loader goes into action. This simple yet critical process initializes the device hardware, validates the firmware and, if verified, loads the firmware into the device’s memory, launching the sequence of events that makes the device operational.
As the first piece of software to run when a device is powered up, the boot loader plays a critical role in system security. If the boot loader is compromised, it opens the door for bad actors to gain access to the system. To address this vulnerability, boot loaders use encryption to verify that the digital signature of the firmware is valid and trusted.
For hackers, breaking or spoofing the digital signature encryption and gaining access to the system is a task that is about to get much easier. Advances in quantum computing aided by AI and machine learning are now threatening to undermine the encryption utilized by boot loaders.
Expanding quantum-secure encryption to IoT
Quantum IoT devices pose a threat to encryption because they provide the computing power to quickly solve the complex mathematical algorithms upon which encryption is based, giving hackers the power to calculate the keys that keep encryption algorithms secure. Once the key is obtained, hackers can unlock data and compromise the systems that are secured by encryption.
The power that conventional IoT devices provide has already proven to be capable of cracking certain levels of encryption. In response, security solutions have turned to more complex algorithms producing longer encryption keys. However, this path leads to problems for PQC boot loaders and other devices that require fast processing and have limited computational and memory resources.
Devices such as the uLoadXLQ Quantum Secure Boot Loader solve this problem by providing an encryption protocol based on lightweight post-quantum digital signature algorithms that feature small signatures and fast verification. It allows for digital signatures that have been secured by quantum-resistant encryption to be quickly verified, ensuring that only the authorized firmware is launched and installed. If the digital signature cannot be verified, indicating that the system has been accessed by an unauthorized entity, the boot loader shuts down the boot process and prevents the installation of a corrupted OS or unauthorized applications.
The uLoadXLQ system also uses a digital signature generated from a quantum random number, so the key is as strong as possible. This functionality allows the system to achieve the level of entropy needed to provide true quantum-resistant encryption. Limited entropy is an issue that results in weak cryptographic keys and diminished security.
The challenge of securing IoT boot loaders
The more than 14 billion devices that make up the Internet of Things (IoT) commonly rely on boot loaders to support their operations. These devices typically share sensitive data over vast networks, but unlike computers, these devices typically run on very limited resources, making lightweight security a necessity.
Attacks on IoT devices have grown dramatically in recent years. According to cybersecurity statistics, over 5.8 million malware attacks were carried out on IoT devices in December 2021. In December 2022, the number of attacks topped 10.5 million.
By deploying ransomware on IoT devices, hackers can take over the functionality of devices, locking out users until a ransom is paid. This could involve taking control of a smart thermostat or computer-aided systems in a car. When unleashed on mission-critical systems, such as those delivering or regulating medications, ransomware attacks targeting IoT devices can be extremely damaging.
The use of IoT devices in the corporate world has created what is known as the “shadow IoT.” This refers to IoT devices such as smart speakers or smart TVs that are added to an organization’s network without the approval of the IT department or the application of enhanced security measures. These devices then become the weak link in the organization’s network security.
A recent report by the global management consulting firm McKinsey & Company envisions the IoT as a tool that could dramatically improve virtually every area of our lives, but achieving that vision would require IoT devices to gain greater public trust. To do that, McKinsey says, the IoT’s cybersecurity vulnerabilities must be overcome. The adoption of quantum-resistant boot loaders would be a major step in that direction.
The growing need for boot loader security
The threat that unsecured IoT boot loaders pose is illustrated by recent regulations implemented in the United Kingdom that address chargers for electric vehicles (EVs). These regulations seek to secure EV chargers, which are required to be connected to the internet, against attacks by bad actors. They stipulate that IoT devices include secure boot technology and automatic disconnect in cases where security is threatened.
The regulations are meant to address concerns about the ways hackers could capitalize on IoT vulnerabilities to gain access to the networks that support the chargers. At a minimum, attacks could result in the theft of electricity or credit card data. However, security experts also envision scenarios in which hackers could use EV chargers to gain access to and shut down power grids.
The ongoing progress toward Y2Q combined with our increasing dependence upon IoT devices points toward a future of unparalleled security challenges. Now is the time to deploy the tools that will ensure security in a post-quantum world.
Quantropi is an Ottawa-based player in the quantum-secure data communications space. The firm’s QiSpace is the only end-to-end quantum security SaaS platform with all three prerequisites for cryptographic integrity – Trust, Uncertainty and Entropy (TrUE)