CFOtech UK - Technology news for CFOs & financial decision-makers
Story image
No dedicated hardware security for 66% IoT modules: IoT Analytics
Fri, 22nd Sep 2023

IoT Analytics, a provider of market insights and strategic business intelligence for the Internet of Things (IoT), has published its latest research on the global cellular IoT module and chipset market for Q2/2023. The report reveals that 66% of IoT modules shipped in Q2 2023 had no dedicated hardware security, and 29% had no security features, exposing them to potential risks and vulnerabilities.

The research analyses the security features of 772 unique modules from 36 vendors and 150+ chipsets from 13 vendors that IoT Analytics tracks. It shows that only 30% of the modules on the market had dedicated hardware security features. 

Additionally, the report highlights the differences between the global and North American markets, where the latter has a higher share of non-dedicated hardware security features, such as TrustZone or secure boot.

This indication is consistent with recent concerns that the US Congress expressed to the FCC regarding the security of Chinese-made cellular IoT modules within US infrastructure (either directly or as part of the manufacturing supply chain), such as FirstNet Authority networks and devices used by first responders across the country (Quectel and Fibocom have published press releases responding to the US Congress’s concerns in early September 2023).

The report is part of IoT Analytics’ Global Cellular IoT Module and Chipset Market Tracker and Forecast, which provides a quarterly look at the revenues and shipments of the companies supplying IoT modules and chipsets for cellular IoT deployments. The tracker also includes a quarterly and annual forecast from Q3 2023 to 2027.

Regarding IoT security, Principal Analyst Satyajit Sinha notes, "As cybercrime operates much like a business, criminals invariably opt for the path of least resistance. Implementing multiple layers of security increases the time and cost required for hackers to breach a system, thus making it more likely for them to abandon the effort and seek out less well-protected targets.”

"Cellular IoT modules are crucial for connectivity in IoT devices across industries. They provide a vital connection to the internet and are managed remotely. Ensuring their security is vital for safeguarding the broader IoT ecosystem,” he adds.

The report also gives the IoT module security outlook, noting how post-quantum security is becoming crucial for IoT.

Currently, the general life span of most IoT devices is 8 - 12 years, with automotive 5G module applications lasting 10 - 15 years. With these extended life spans, when building cellular IoT modules, manufacturers must look beyond current threats; specifically, they should start planning for the commercialization of quantum computing and the potential for state actors and cybercriminals to crack complex, commonly used encryption methods.

In October 2019, Google announced quantum supremacy in the journal Nature with its 54-qubit Sycamore processor, which Google claims could perform a complicated task in 200 seconds that would take the world's most powerful supercomputer 10,000 years to complete. 

Many countries and companies are also advancing with quantum computing, such as the Chinese Academy of Sciences and QuantumCTek, a quantum information technology developer. 

Other Google competitors, such as IBM, Microsoft, Amazon, and Intel, along with several new startups, have all invested heavily in developing quantum computing hardware in recent years.

While quantum chips have not reached widespread commercialization yet, manufacturers can start considering quantum security solutions today. Governments are already looking at standards and quantum-proofing solutions for their agencies and companies, and the following are just some examples:

In January 2022, the French National Agency for IT Systems Security (ANSSI) published its views and recommendations for the PQC transition, offering a 3-phase process expected to last until 2030.

In July 2022, the US Department of Commerce’s National Institute of Standards and Technology (NIST) announced its selection of four quantum-resistant cryptography algorithms, constituting “the beginning of the finale of the agency’s post-quantum cryptography (PQC) standardization project,” which NIST expects to complete and publish in 2024.

In August 2023, the US National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and NIST published a PQC migration readiness sheet to help the government and private sector start planning their quantum readiness.

Further, some companies are already developing post-quantum solutions. 

For example, Thales Group offers 5G security solutions with end-to-end encryption and authentication to safeguard organizational data as it moves across front-haul, mid-haul, and back-haul operations. These solutions rely on Thales’ 5G Luna Hardware Security Modules (HSMs).

Further, in February 2023, Thales Group announced that it successfully piloted a post-quantum resilient, end-to-end encrypted call using its Cryptosmart mobile app and 5G SIM.