The rapid expansion of the Internet of Things is creating a new and complex risk landscape for telecom operators, as advances in quantum computing threaten to undermine today’s security foundations. According to GSMA, quantum computers pose a multi-layered risk for telcos, spanning radio access networks, private clouds, edge infrastructure, billing platforms, consumer devices and, most critically, IoT deployments.
IoT growth outpacing security readiness
GSMA Intelligence estimates that the global IoT base will grow from about 23 billion devices today to 37 billion over the next five years, representing a rise of nearly 60 percent. Enterprise verticals such as manufacturing, buildings, healthcare and logistics will drive around 90 percent of this growth, accounting for roughly two thirds of all IoT connections by 2030.
Despite this surge, quantum readiness remains alarmingly low. Only about 8 percent of IoT devices currently in active use are considered quantum safe. This translates to roughly 1.8 billion devices out of a total base of around 24 to 25 billion. More than 90 percent of IoT devices are therefore exposed to cryptographically relevant quantum computer, or CRQC, attacks.
Majority of IoT devices highly vulnerable
GSMA Intelligence highlights that around 75 percent of vulnerable IoT devices are not quantum safe at all. Their security could be compromised in multiple ways by CRQC attacks. A further 20 percent have only partial protection, often because they possess some defensive characteristics such as faster clock speeds but lack full cryptographic resilience. These are typically older devices that would require physical replacement or chipset upgrades to improve security.
There is little variation across industries, with most sectors clustered in the 7 to 10 percent range for fully quantum-safe devices. This is largely because the majority of IoT deployments rely on conventional cryptography algorithms that were standardised before post-quantum cryptography, or PQC, emerged.
Low power design adds to the challenge
Much of the IoT world was designed for low power consumption, particularly devices operating over low-power wide-area networks. These devices do not have the silicon processing capabilities of smartphones or high-end computing equipment, making the transition to PQC more complex and costly.
IoT manufacturers and enterprise buyers have historically optimised for cost, battery life and connectivity rather than long-term cryptographic resilience. As quantum computing capabilities advance, this design philosophy needs to change to pre-empt future threats.
Standardisation is the first critical step
Progress is beginning at the standards level. The US National Institute of Standards and Technology has already selected the first set of PQC algorithms, providing a foundation for the ecosystem. This enables chipset makers, device manufacturers, software vendors and telecom operators to begin integrating PQC into hardware, operating systems and network architectures.
Given the size of the installed IoT base and the cost of upgrades, hybrid security models combining traditional cryptography with PQC are expected to dominate over the next two to three years. Operators are likely to prioritise mission-critical environments such as hospitals and industrial systems before addressing the wider IoT base.
Telcos moving too slowly on quantum risk
So far, only a limited number of operators, including Vodafone, Telefónica and SK Telecom, have made CRQC preparedness a strategic priority through research, development and proofs of concept. While this group is expected to expand, GSMA warns that the pace of change is not fast enough.
Survey data shows a clear gap between risk perception and technological reality. Only 5 percent of operators believe CRQC attacks could pose a business risk within the next two years, while around 90 percent think the threat is at least five years away. This view is consistent across regions, including highly advanced markets such as the United States.
Financial and reputational stakes are high
The consequences of a successful quantum-enabled breach could be severe. GSMA estimates that direct costs from security incidents, including financial losses, litigation and regulatory penalties, could amount to 2 to 3 percent of a telco’s revenues. At a global level, this puts roughly $30 billion of telecom revenues at risk.
Beyond direct losses, reputational damage could have a lasting impact. Customer churn, weakened brand trust and reduced enterprise opportunities are major concerns, particularly as enterprise services now contribute around 25 to 30 percent of total telecom revenues. If IoT platforms are perceived as insecure, telcos risk losing ground in digital transformation projects across industries.
Closing the quantum security gap
GSMA concludes that IoT represents the largest and most exposed attack surface for telcos in the quantum era. With billions of ageing devices in the field and rapid growth ahead, coordination across the supply chain is essential. Chipset vendors, device makers, network suppliers and operators must align on hardware, software and network integration, while also sharing best practices and building industry-wide awareness.
CRQC risk is asymmetric. A single successful attack could expose the limitations of conventional cryptography protecting billions of devices worldwide. For telcos, acting early on post-quantum security is not just a technical upgrade, but a strategic imperative to protect revenues, reputation and long-term growth.
BABURAJAN KIZHAKEDATH