Why the IoT Needs to Care About Post-Quantum Cryptography—Now

The Internet of Things (IoT) is a vast network of physical devices, from sensors and meters to industrial machines and consumer products, which collects, shares, and acts on data. To work securely, these devices must be able to identify themselves, protect the data they handle, and accept only legitimate software updates.

That security model is coming under pressure from the rise of quantum computing. It could eventually break the cryptographic methods many devices rely on to authenticate updates, establish secure connections, and protect sensitive data.

Although quantum computers aren’t yet overcoming encryption at scale, it doesn’t mean the IoT sector can afford to wait. Connected devices often stay in service for years, sometimes well over a decade, and many operate in environments where updates are difficult, infrequent, or tightly controlled. If the cryptography built into those products can’t withstand future attacks, today’s design decisions could become tomorrow’s security failures.

Post-quantum cryptography (PQC) is the new generation of cryptographic algorithms designed to meet this challenge and resist attacks from both today’s computers and future quantum machines.

A Challenge for Today

Today, the issue facing the IoT sector isn’t just the moment a sufficiently powerful quantum computer arrives. The problem also involves what adversaries can do at present by collecting encrypted traffic, credentials, and sensitive operational or personal data now and holding it for future decryption. For an industry built on long-lived devices and long deployment cycles, that risk has immediate relevance.

Standards and transition guidance for PQC are already taking shape. For example, the National Security Agency (NSA) requires systems handling national security information to adopt NIST-approved post-quantum algorithms by 2027. And the EU PQC roadmap includes a 2030 deadline for high-risk use cases. Whatever the exact timeline for practical quantum attacks, the transition window for industry has already opened.

Nobody knows when quantum computers will break today's cryptography. Google believes the quantum frontier may be closer than we think and has set itself a deadline of 2029 to migrate to PQC. The IoT industry must ask which devices, products, and services being designed, shipped, or maintained today will still need to be trusted in the 2030s.

Where are the Risks?

One of the first risks to focus on is confidentiality. If a device sends sensitive telemetry, credentials, personal data, or commercially valuable operational data, that information may need protection for years. If it’s intercepted now and stored, future decryption could still cause harm.

Second, there’s risks associated with authenticity and integrity. In IoT, these are often even more important than secrecy. Devices depend on digital signatures to confirm that firmware is genuine, updates come from a trusted source, and commands aren’t forged.

In a future where quantum attacks can undermine today's public-key signatures, the consequences could be severe. A compromised update path for an industrial controller, gateway, or smart vehicle component creates significant safety, resilience, and liability problems.

This is why secure boot, secure firmware update, device authentication, and key establishment should be near the top of any PQC priority list. These are the trust anchors on which broader IoT security depends.

Recognizing the need to migrate is easier than doing it. PQC introduces real engineering challenges, especially in embedded systems. With PQC, public keys, signatures, and protocol messages are often much larger than their classical equivalents. That affects flash usage, RAM requirements, bandwidth, certificate handling, and latency. Some existing devices will be able to accommodate this through software updates or careful optimization. Others may have to make compromises.

That’s why the most sensible response is a structured migration plan. Start with cryptographic discovery: Identify where RSA, ECC, and other vulnerable algorithms are used across products, services, manufacturing systems, and supply chains. Then prioritize systems with long lifetimes, limited updatability, high-value data, safety implications, or critical trust functions. Finally, design for cryptographic agility where feasible.

Combining Conventional and Post-Quantum Security

Hybrid cryptography will play an important role in this period and is recommended by organizations such as the European Union. By combining conventional and post-quantum methods, organizations can reduce migration risk while standards, products, and ecosystems continue to mature. This can add implementation complexity, but for many IoT use cases it offers a worthwhile path between today's installed base and tomorrow's security requirements.

It’s also important to remember that PQC is both a device challenge and an ecosystem challenge. A connected product depends on certificate authorities, cloud services, mobile apps, manufacturing tools, diagnostics, installers, service networks, and standards bodies. Migration will only work if that whole ecosystem moves together.

There’s Still Time

The good news is that the industry needn’t solve everything at once. The goal for now isn’t necessarily universal PQC deployment across every endpoint. It’s preparedness. New designs should be evaluated against post-quantum requirements, security roadmaps should account for product lifetimes that stretch into the 2030s, and leadership teams should start treating PQC as a key resilience issue.

For the IoT sector, waiting is the riskiest strategy of all. Devices being specified today may still be operating when traditional cryptography is no longer considered acceptable. By then, fixing the problem could be expensive, disruptive, or impossible.

The quantum threat may still be emerging, but the migration challenge is already here. The organizations that start now, by identifying their critical use cases and building in upgrade paths, will be far better placed to protect devices over their full lifetime. In IoT, that’s what post-quantum readiness really means.