On 21 November, Jim had the opportunity to host a GSMA Webinar on Post Quantum Cryptography for IoT, with guests from IBM (Lory Thorpe), NXP (Gareth Thomas Davies), Verizon (Vinod Choyi) and Vodafone (Luke Ibbetson).
As the Internet of Things (IoT) is ever more widely adopted across industries, the security foundations that underpin billions of connected devices will soon be exposed to a new threat. The rapid evolution of quantum computing threatens to undermine today’s widely deployed cryptographic algorithms, especially asymmetric methods used for authentication and secure communications. The webinar (and associated white paper: Post Quantum Cryptography in IoT Ecosystem) highlighted quantum-related risks for IoT and outlined the steps required to secure future deployments.
The following paragraphs provide a more detailed summary of the topics covered in the webinar and the white paper.
IoT adoption is accelerating across consumer, enterprise, and industrial sectors. From smart homes and connected vehicles to energy infrastructure and healthcare systems, IoT devices now serve crucial roles in everyday life and critical national functions. This growth, however, introduces increased exposure to cyber-attacks.
IoT devices often operate with constrained processing power, limited memory, extended lifecycles, and in some cases no mechanism for remote software updates. These characteristics make many devices inherently vulnerable and difficult to secure against emerging threats.
Security in IoT relies heavily on cryptography, including for device authentication, encrypted data transmission, secure firmware updates, and ensuring data integrity. Yet the asymmetric algorithms that underpin these functions (including RSA and alternatives) are expected to be broken by sufficiently powerful quantum computers in the future with the pending emergence of Cryptographically Relevant Quantum Computers (CRQCs). This raises a risk not only for long-lived devices but also for data harvested today and decrypted later in so-called “Store Now, Decrypt Later” (SNDL) attacks.
Beyond SNDL, quantum computing could expose todays’ IoT devices to a range of security threats, including tampering with device firmware, altering device behaviour, the impersonation or spoofing of devices, or injecting false data. Additionally, adjacent systems could be compromised through weak IoT endpoints.
The long operational life of many IoT devices makes these risks especially pressing to be addressed today so that devices will continue to be sufficiently secure when real-time quantum attacks become feasible. If such devices cannot be updated, then associated security could erode rapidly.
Post-Quantum Cryptography (PQC) includes algorithms designed to resist attacks from both classical and quantum computers. However, PQC algorithms are not simple drop-in replacements. Many have significantly larger key sizes, ciphertexts, or signatures, which can burden constrained IoT devices and increase energy consumption and stress limited-bandwidth connections.
Standards bodies have already begun defining quantum-safe algorithms and updating protocols including TLS, DTLS, IPSec, and SSH to support hybrid or fully post-quantum key exchange and authentication. New NIST standards, including ML-KEM for key establishment and ML-DSA or SLH-DSA for digital signatures, represent the emerging foundation of quantum-resilient security.
In each aspect of an IoT system architecture (from devices and air interfaces to backhaul networks, cloud platforms, and API exposure points), cryptographic mechanisms may need to evolve. For example:
Because IoT systems often consist of many interconnected components, a holistic and phased transition approach is essential. In this context, a hop-by-hop PQC hardening approach across IoT supporting infrastructures is likely to scale more effectively than end-to-end approaches for individual applications.
The webinar and associated report advocated for:
The quantum era will fundamentally reshape IoT security. While the exact timeline for fully capable quantum computers remains uncertain, the risks, particularly for long-lived IoT deployments, are present today. Proactive adoption of post-quantum cryptography and the development of crypto-agile systems will be essential to maintaining trust, resilience, and security across the global IoT ecosystem.
