So I was thinking again about how secure my smart home was. And I found out that the whole security of ZigBee/Matter-over-thread is relying on classical algorithm.
By that, I mean it's not post-quantum. Most smart devices just won't be able to just update to support post-quantum, cause the hardware just won't be enough.
What this mean is, our home will be at security risk when the quantum era will be a thing. And I think it's not far from now.
So the bottom line is we'll have to replace all the devices not supporting it... basically everything.
Am I missing something? Am I wrong at some point? I feel like nobody's talking about this
Or you speculate your IoT devices will be at risk eventually, and just don't do IoT.
Or you speculate that hackers won't use multi-billions quantum equipment to hack your lights, and live with the risk.
Or you stop peering at that crystal ball and see what will actually happen
Or you speculate your IoT devices will be at risk eventually, and just don't do IoT.
I don't agree. The whole IT world can be at risk, we don't stop. We juste make sure to fill the holes.
Or you speculate that hackers won't use multi-billions quantum equipment to hack your lights, and live with the risk.
You can already rent "quantum computers" in the cloud. You don't need the whole thing.
Or you stop peering at that crystal ball and see what will actually happen
I don't agree. Anticipation is key in security. That is why post quantum algorithm and security is already a whole field.
My point exactly is there will be time window where it will be very easy to do anything in your home and repurpose your devices very easily. Unless the industry make a bold move fast. And when they do, we will throw a lot of devices.
So my point ultimately, is to keep in mind that what you buy today, might not be for long term.
Yes they also have to get in quantum teleportation isn't literally putting a bad guy on your ZWave network. It instantly factors giant numbers.
Thats a problem post quantum as it is today. Just... Faster.
Layers.
So let's say they have a viable commercial quantum processor... Today. (they don't but let's say they do...) script kiddie breaks quantum encryption.
Think it out where are they breaking you. First that connection to the internet. The connection. From Nabu or whatev your remote solution is. THAT is what needs post quantum protection. Not my iot device. (at least today) It's a bridge head protection job. Because if they're already inside far enough to touch my ZWave or zigbee or thread networks I already have a problem.
Am I saying don't improve security in the device. No absolutely not. What I'm saying is work the right problem first.
Obviously it's better if the internals of your network are secure but quantum attacks don't get the free pass you imply just because many devices on your network use old cryptography.
If you secure the entrance points you'll will continue to be safe, so WIFI, Routers, what you expose etc.
Security is important to me and this issue is real, but I don't think you will need to replace anything like all your devices.
I say this part way through implementing secure remote access with Pangolin/Wiregaurd. There are other ways too, but my aim is to ensure only I can get in, and anything public is very specific, if I do that at all.
Right... Like I give a flip if a hacker knows when my bathroom light is on.
Your paranoia is showing.
As @NathanCu says, a hacker would have to get past too many other layers upstream of my home to even see any of my devices.
Yes, you can rent time on a quantum processor now, but it is so expensive that absolutely no one on this planet would expend the energy and expense to see if my toilet fan is running.
Quantum is still a research curiosity and the best predictions say that readily available cloud access for general projects is two decades away.
Just like commercially feasible fission power- always two decades away.
The internet part, is the one I worry the least. Cause the web is adapting. The device part though, one could listen to data frames and map very quickly the network and what to do with it.
And if you break the zigbee primary key... Then? What? Again you have to GET there.
Look I get your point yes it will eventually break. But those technologies you're talking about are islands on purpose.
The only one I'm actually concerned about honestly is matter over wifi because it rides my existing wire. (and for the record I don't have any... Similar reason? Maybe., ) You have to transit different transports to even read those devices.
Yes be vigilant yes sorry you are vastly overblowiibg this threat.
In security, paranoia is a good thing. Zero trust is the way
And it's not about your bathroom. Someone (with the right tools, the guy doesn't have to do all the work by himself btw) could map your network entirely and send commands to devices. It means if you have security devices (cameras, door sensors, automated doors, etc.), well it's not security devices anymore.
Yes, that's a good point - your ZigBee network is public and therefore exposed.
But what are the opportunities, risks and payoffs here? To connect to my ZigBee network is already difficult inside my house, though I've very little data on this yet. Connecting from outside means being very close at least. So for one, this attack doesn't scale. It has to be valuable to get into one specific ZigBee network. I don't plan to replace all my sensors to defend against that, though perhaps some will.
My point is that this isn't a significant risk for most people. Very few if any I expect. But this will be a matter of situation and opinion.
Making sure that WiFi and particularly internet entrance points are secure will be far more important to me.
Close actually, no. Max range for Zigbee is 30 feet
You will need to be within thirty feet of my home.
If you're within thirty feet of my home I GUARANTEE I've already seen you. You have been in range for twenty feet already. And I wouldn't worry about my security. I'd worry about the attacker. Kind of Carl and Donut fashion. They will not break me...
I totally get that, and you are right. People got cheap IPTV devices that uses their network and are used in DDOS attacks but they keep it that way cause the device works.
People don't care much about security, that's a thing.
Now, I think if there are weakness in a system, there will always be people willing to find a way to exploit that
Bringing me back back to my first question: What is your point?
Risks are risks. They are not materialized, yet. There is no hole to fill, yet (at least in this context).
If the point really is: "So the bottom line is we'll have to replace all the devices not supporting it... basically everything."
Then, yep, sure, agreed. Or we'll upgrade the firmware, or we'll live with the fact that some remote hacker who managed to get access to your network will be able to turn on your lights...
(I intentionally leave out using IoT for actual security devices, like locks, that I consider a bad idea even today)
) You have to transit different transports to even read those devices.