Recently Verizon announced that they have begun to test quantum key distribution (QKD) with the goal to use it for securing communication links. That is great news. I believe that quantum key technology will become a significant element of security, going forward, to protect secret keys. It is closer to perfect than other security scheme, thus far. And not just for communications, but anywhere a secret key is used.
I think drilling down a bit on QKD is warranted. Why? Because most of the media outlets, including some of the wireless ones, do not have much of a clue as to what it really is. To wit, often when they talk about it, they put it in the wheelhouse of quantum cryptography, which it is not.
When they come across it, such as the recent Verizon release, the report simply puts some verbiage out there from the press release followed by some general data about QKD pulled from a quantum site that talks about it. Then they go on to discuss, in layman’s terms, what QKD will do.
This is because they just do not understand such technologies and cannot make much of a press release out of it without a lot of quotes and site data. So, they fill in with what is going on with the release topic and talk about other issues. This kind of reporting on QKD is well worn and it has been playing for years already.
Now, QKD is an awesome technology for securing data transmissions. And, just to reiterate, this is not the same as quantum cryptography, which many non-technical discussions seem to imply. So, let us expand this a bit and talk about what Verizon is doing and how it works.
First, Verizon’s experiment was between two points, using a fiber link, not an RF link. At the moment, QKD links can only be accomplished over a fiber link or from optical free-space links (telescopes) and point to point (although in 2017, a Chinese satellite named Micius sent entangled photons to three different ground stations, each separated by more than 745 miles, which broke the distance record for entangled particles). They have yet to be accomplished via any RF links, which make up most of the wireless communications in existence.
Second, they are relatively limited in real-world distance. In such experiments, the link has been limited to around 62 miles. In controlled lab experiments, that has fared better. However, the longest successful QKD transmission is just over 248 miles over special low-loss fiber and 745 miles via a free-space optical link. At present, the non-ideal condition is short because photon losses, for both fiber and free space, increase dramatically with distance.
However, 62 miles of distance may become acceptable for much of the future communications based on 5G technology – cell towers, small cell sites, various types of networks (Wi-Fi, particularly), and upcoming platforms such as mesh networks and autonomous vehicles. However, distance is not the major challenge. There are other factors that must be overcome, such as scattering and interference. However, eventually, QKD, just like quantum computing, will become a useable technology.
QKD is based on the quantum mechanics principles of entanglement (QE) and superposition. These were first proposed by Albert Einstein in the 1930s. QKD has been around since the 1970s (although it took the 1990s to give it traction).
The communications sector has been working with photons, but QE can be accomplished with a variety of particles – electrons, photons, molecules, etc. And it is not limited to individual particles. In practice, items like magnets, metals, even the human body have hundreds of entangled molecules, all of which act as a single object and can be used in the entanglement game.
The theory of entanglement, in short, is that multiple particles are linked together in a way such that the measurement of one particle’s quantum state determines the quantum states of the other particles, even separated by large distances. This is why QE is such a panacea for security. If you mess with one particle, it reflects on the others. Therefore, if the destination is not the exact replica of the source, one can assume the package and the key has been compromised.
A second required condition of quantum mechanics is superposition. It states that particles exist in multiple states, simultaneously. Photons, for example, can display simultaneously both horizontal and vertical states of polarization.
Superposition says that if the state of one of the entangled pair is disturbed, that disturbance will be reflected on the other particle. And, once the entangled state is compromised, even by observation, it will collapse or disappear altogether. Superposition also states that such particles can exist simultaneously, in separate places, hence any disturbance on one is immediately reflected on the other. In theory, QKD can alert whatever is monitoring it that a compromise has happened before the data actually arrives.
So, using quantum mechanics, in the form of QKD, to secure a key is where this is all heading. In a nutshell, if the quantum elements of the key have been compromised, the assumption is that the key may be as well, and the same for the data.
Simple enough, at least in theory. However, it will be years, if not decades, before QKD will see widespread use. There are just too many other environmental conditions, which must be controlled, that affect quantum transmissions. As well, practical applications of quantum mechanics are also years off.
Fiber is likely to become the first success story. Optical next, then wireless. But I would not hold my breath.
October 13, 2016
With the expected proliferation of telemedicine, the medical community is raising the red flag on mobile device security. In a recent survey, a whopping 82 percent of hospitals surveyed say it is a “grave (no pun intended) concern” for them in the evolving cyber-threat landscape.
And it isn’t just patients’ wireless use. Personally-owned mobile devices used by hospital staff, including nurses and physicians were a large security worry.
The problem is password protection. Most personal mobile devices have inadequate password protection and most lack the right security levels for messaging and when being used on public Wi-Fi and cellular networks.
Personal medical data contains a plethora of information for cyber thieves. Not just medical data, but financial, personal and professional data, as well. This is a virtual goldmine for cyber criminals and they are figuring this out very quickly.
Some fixes for this vulnerability have begun to be introduced. For example, one approach is what is called “containerization.” This is a process where personal apps on a device are separated from corporate ones through a mobile device management system. This allows the enterprise to have complete control of the business apps, but no access to personal apps and vice-versa.
But it has some issues. One of which is that, generally, users don’t like having to switch between the container and main user screens. Another is that this adds overhead costs to the hospital administration staff and some users try to circumvent the system because of its bulkiness.
The healthcare ecosystem is one of the more difficult to manage from a security perspective because of its ubiquity. And the problem is not so much with the hospitals themselves as with the BYOD (bring your own device) environment of the cross-connected staff and patients. It is much easier to let the users have their own devices than try to manage enterprise devices across multiple locations, which is typical in the hospital ecosystem. How this is all going to shake out is still a bit of a mystery.
August 26, 2015 — For the longest time, securing wireless communication devices wasn’t high on the OEM’s priority list. And for much of that time, there really wasn’t much of a concern with security on phones, and smart devices in general. But that is starting to change. With the integration of Wi-Fi and web browsing, the same miscreants that attack computer networks have a new vector to compromise data.
In general, the Android and Apple operating systems (OS) aren’t particularly hack-able so the operational components are safe. The value in hijacking a smart phone is in what’s on it and what else it can be used for, to attack. Their interest is in things like personal, financial, credit card, and other data, as well as to put it to use as a portal to other devices and systems. That is now possible using a smartphone.
But with Wi-Fi and Internet access, it isn’t just about your data. There is a virtual cornucopia of opportunity with all the social media that most people have on their smartphones. So if you’re hacked, everyone whose data is on your device is a potential target as well.
That is the gravity of the situation, and it is serious. Most consumers are aware of securing their PCs. But few realize that today’s mobile phones are just as vulnerable. And when the Internet of Everything (IoE) materializes, your smartphone will be connected to everything from smart socks to smart cars.
Just recently, a group of researchers from Indiana University, Peking University and the Georgia Institute of Technology revealed some deadly zero-day flaws in Apple’s iOS and OS X, claiming it is possible to crack Apple’s password-storing keychain, break app sandboxes and bypass its App Store security checks. Apple is supposedly not hackable. Well, so much for that theory. Similar conditions exist for Android, as well. And, simply put the term “smartphone hack” into any search engine; pages and pages come up on how to and what hacks are available.
An excellent overview of smartphone security overview, titled “A Window Into Mobile Device Security.” from Symantec. While this report is a few years old and some progress has been made towards addressing these flaws, a significant number of them still exist, in addition to new ones that have been discovered since then.
And another issue is just how easy it can be done. Recently, a cyber-company named iSEC partners demonstrated how texts, cell phone calls and other information were fully able to be disclosed on the Verizon smartphone through the use of a femtocell, which can be bought for under $300!
Today, there are three common methods of cell phone hacking: the first can be done, even when the phone is off, using peripheral technology such as Bluetooth. Hackers can still access your info without your even being aware of it.
Another method, and this has risen to the top of late, is the use of mini-cell phone towers where outsiders can read off cell phone data, or spoofed cell towers (devices that fool the phone into thinking it is talking to a real tower).
Another method of hacking into phones is to reroute the info to an outside source, typically referred to as “man in the middle. This is when a person can get into your phone’s operating system and pass the information onto unscrupulous persons who just wait for information to come to them.
We are just scratching the surface, here. But the time has come to start taking smartphone security very seriously. With the IoE, the potential for expanded threats ramps up by orders of magnitude because the devices that will be interconnected will be expanded by those same orders of magnitude.
Meanwhile, there are some things one can do to keep the possibility of being hacked to a minimum:
The point here is that it is time to understand that smartphones aren’t any less vulnerable to hacking than computers or other networks. It just hasn’t come into the center of the radar screen, yet…but it will. Let’s hope we are prepared.