Security Now 1018: The Quantum Threat

Episode Overview
Security Now Episode 1018, titled "The Quantum Threat," aired on March 26, 2025. Hosted by Leo Laporte and featuring Steve Gibson, the episode delves into significant cybersecurity issues ranging from longstanding software vulnerabilities and remote server takeovers to the imminent threats posed by quantum computing to current cryptographic systems. The discussion is enriched with real-world examples, expert insights, and listener feedback, making it an essential listen for anyone invested in the future of digital security.

1. Microsoft’s Unpatched Vulnerability Exploited by APT Groups

Key Discussion Points: Steve Gibson highlighted a critical bug in Microsoft’s software that has remained unpatched for years. This vulnerability has been exploited by 11 Advanced Persistent Threat (APT) groups, making it a significant concern for cybersecurity professionals.

Notable Quotes:

• Steve Gibson [03:20]: "It's like a head shaker that in 2024, let alone still today in 2025, Leo Windows LNK link files are still being exploited."
• Leo Laporte [04:04]: "Do they call that, by the way, asrock?"

Insights: The vulnerability allows for a simple remote takeover of Apache Tomcat servers, emphasizing the importance of timely patches. Despite awareness, Microsoft’s reluctance to address the issue has left systems exposed, underlining the challenges in managing software vulnerabilities within large corporations.

2. Exploitation of Apache Tomcat Servers

Key Discussion Points: A severe Remote Code Execution (RCE) vulnerability in Apache Tomcat, identified as CVE-2025-24813, is actively being exploited. Wall ARM, a security firm, reported that this flaw allows attackers to take over servers with just one PUT API request.

Notable Quotes:

• Steve Gibson [44:51]: "Attackers need just one put API request to take over vulnerable Apache tomcat servers."
• Leo Laporte [38:32]: "I think we should talk about what has gotten better since."

Insights: The simplicity of the exploit—requiring only two simple commands—makes it exceptionally dangerous. With nearly 19,000 installations worldwide, organizations using Apache Tomcat must urgently apply patches to prevent potential breaches. The rapid exploitation underscores the necessity for proactive security measures and robust incident response strategies.

3. Expressif’s Response to ESP32 Backdoor Claims

Key Discussion Points: Concerns arose about a potential backdoor in the ESP32, the most popular IoT processor produced by Chinese company Expressif. Expressif responded by clarifying that the so-called backdoor consists of internal debug commands essential for testing and not accessible remotely.

Notable Quotes:

• Steve Gibson [33:47]: "We know, we know them by name, but because what they're doing..."
• Leo Laporte [06:24]: "Yep, I have the picture here I am ready to scroll up at your command."

Insights: Expressif’s clarification addresses misinformation, highlighting the importance of understanding the technical details before labeling features as vulnerabilities. The company committed to removing the undocumented commands, reinforcing their dedication to security and transparency.

4. Signal Breach Involving the Department of Defense

Key Discussion Points: A significant breach occurred when Department of Defense officials inadvertently included a journalist in a multi-way Signal conversation detailing war plans. Steve Gibson critiqued the use of Signal for national security communications, emphasizing that while Signal offers robust encryption, the insecurity lies in the devices themselves.

Notable Quotes:

• Steve Gibson [10:10]: "Expressif also extends its gratitude to the security research community..."
• Steve Gibson [14:28]: "They don't want to upset a long time big customer with a hardware upgrade, whatever."

Insights: The breach underscores the limitations of encrypted messaging apps when used on potentially compromised devices. It highlights the need for secure communication protocols beyond app-level encryption, advocating for stricter device security measures and controlled environments for sensitive communications.

5. The Imminent Quantum Threat to Cryptography

Key Discussion Points: The core of the episode revolves around the quantum threat to current cryptographic systems. Steve Gibson and Leo Laporte discuss how advancements in quantum computing could render existing encryption methods obsolete, posing a catastrophic risk to digital infrastructure.

Notable Quotes:

• Steve Gibson [120:04]: "Security is only as strong as the weakest link."
• Steve Gibson [140:59]: "Quantum attackers can compromise devices even if the software running on the hardware is quantum resistant."

Insights: Quantum computers capable of breaking asymmetric cryptography could undermine everything from secure communications to financial transactions. The necessity for migrating to quantum-resistant cryptographic algorithms is urgent, as highlighted by efforts from organizations like NIST and governmental bodies worldwide. HP’s proactive measures in implementing quantum-resistant firmware in PCs and printers exemplify steps being taken to mitigate this looming threat.

6. RCS (Rich Communication Services) Now with End-to-End Encryption

Key Discussion Points: The episode covers the integration of end-to-end encryption (E2EE) in Rich Communication Services (RCS), a significant leap for secure messaging. GSMA’s Technical Director, Tom Van Pelt, announced the inclusion of Messaging Layer Security (MLS) protocol, ensuring confidentiality and interoperability across different platforms, including Apple’s iOS.

Notable Quotes:

• Leo Laporte [61:16]: "Hallelujah."
• Steve Gibson [66:43]: "It's good as it gets. It's good enough for the Department of Defense."

Insights: The addition of E2EE in RCS addresses previous security shortcomings, enhancing privacy for users across Android and iOS. However, concerns remain about data backups and device security, as decrypted data can be vulnerable if devices are compromised. The move signifies a positive step towards unified, secure messaging standards but also calls for continuous vigilance regarding device-level security.

7. TikTok’s US Ownership Negotiations

Key Discussion Points: Oracle is in advanced talks to acquire TikTok's US operations amidst national security concerns. Politico reported that the deal would require Oracle to oversee American user data, ensuring it remains inaccessible to the Chinese government. However, skepticism persists about the feasibility of completely severing ByteDance’s control.

Notable Quotes:

• Steve Gibson [86:47]: "And I think to ask you today, they probably think they need them more than they did yesterday."
• Leo Laporte [85:29]: "But even if it does, they don't need it to."

Insights: The potential acquisition by Oracle aims to mitigate security risks associated with Chinese ownership. However, critics argue that ByteDance’s ongoing influence might still pose vulnerabilities. The negotiation underscores the complexities of securing multinational digital platforms against geopolitical tensions, balancing data security with operational autonomy.

8. 23andMe Files for Bankruptcy and User Data Deletion

Key Discussion Points: 23andMe, a pioneer in personal genomics, filed for Chapter 11 bankruptcy. Steve Gibson advised users to delete their genetic data from 23andMe’s databases to prevent potential misuse of their genetic information in acquisition deals.

Notable Quotes:

• Steve Gibson [93:01]: "But, you know, I've got some long."
• Leo Laporte [94:12]: "A complete set of security now F episodes so they can learn what it was like."

Insights: The financial troubles of 23andMe raise concerns about the security and future accessibility of users’ genetic data. Gibson’s proactive approach in deleting his data reflects the importance of data ownership and privacy, especially when companies face instability. Users are encouraged to take control of their genetic information to safeguard against potential breaches or unauthorized access during corporate restructurings.

9. White House Urges Federal Agencies to Preserve Cybersecurity Workforce

Key Discussion Points: Amid budget cuts and planned layoffs, the White House instructed federal agencies to refrain from terminating cybersecurity staff. This directive recognizes the critical role cybersecurity professionals play in national security and the protection of federal infrastructure.

Notable Quotes:

• Steve Gibson [94:33]: "And I think to ask you today, they probably think they need them more than they did yesterday."
• Leo Laporte [94:41]: "We can't figure out if we need them or not."

Insights: The decision to preserve cybersecurity positions within federal agencies highlights the heightened awareness of cyber threats and the indispensable nature of these roles. It serves as a reminder of the ongoing battle against cyber adversaries and the necessity of maintaining a robust cybersecurity workforce to defend national interests.

10. AI Project Failures on the Rise

Key Discussion Points: A report from S&P Global Market Intelligence indicated a significant increase in AI project failures, with 42% of businesses scrapping most of their AI initiatives in 2025, up from 17% in the previous year. The primary obstacles cited include cost, data privacy, and security risks.

Notable Quotes:

• Steve Gibson [116:51]: "What does that mean?"
• Leo Laporte [121:35]: "I have."

Insights: The surge in AI project failures suggests that the rapid integration of AI technologies may be outpacing organizations’ capacities to implement them effectively and securely. This trend calls for more strategic planning, better resource allocation, and a deeper understanding of AI’s potential risks and benefits to ensure successful adoption and utilization.

11. Listener Feedback and Recommendations

Key Discussion Points: Listeners shared positive experiences with Spinrite, praising its effectiveness in maintaining and recovering storage devices. Additionally, a question about synchronizing bookmarks across browsers led to a recommendation for the open-source extension X Browser Sync.

Notable Quotes:

• Steve Gibson [107:08]: "So this is somebody you know on that side."
• Leo Laporte [121:40]: "On your phone."

Insights: Engaging listener feedback not only validates the practical advice given by the hosts but also fosters a sense of community among the audience. Recommendations for tools like Spinrite and X Browser Sync provide actionable solutions for attendees to enhance their personal cybersecurity practices.

Conclusion: Preparing for the Quantum Leap

The episode culminates with an in-depth discussion on the quantum threat, emphasizing the urgent need for transitioning to quantum-resistant cryptography. HP’s research underscores the timeline within which quantum computing could disrupt current security protocols, advocating for immediate action to safeguard digital infrastructure. Gibson and Laporte stress the importance of prioritizing critical systems for migration and the collaborative effort required across industries to mitigate the impending risks.

Final Notable Quotes:

• Steve Gibson [153:26]: "We have to stay here. You all, you know, you're here so that we can cover this stuff."
• Leo Laporte [166:34]: "I'm really glad you brought this in and shared it with the class because it's, it's clearly an oncoming train."

Takeaway: As quantum computing advances, the imperative to adopt quantum-resistant measures becomes ever more critical. Organizations and individuals alike must remain vigilant, proactive, and collaborative to ensure the resilience of our digital future against the transformative capabilities of quantum technologies.

For More Information:
For a comprehensive understanding and further details, listeners are encouraged to visit GRC.com and explore the full article by HP on "Protecting Cryptography Against Quantum" available in the show notes.