Quantum Threats to Your Smart Home: What ‘Harvest Now, Decrypt Later’ Means for Homeowners

Google’s Willow quantum milestone has reignited real questions about the future of encryption. For homeowners and renters with smart locks, home cameras and cloud backups, the phrase "harvest now, decrypt later" is not just jargon — it describes a practical threat model that could expose years of private footage, access credentials and sensitive data once large quantum computers mature.

What "Harvest Now, Decrypt Later" Actually Means

In short, attackers can collect encrypted traffic and encrypted files today and store them. When a powerful enough quantum computer exists, some widely used cryptographic algorithms (notably common public-key systems like RSA and ECC) could be broken quickly using Shor’s algorithm. That means data that was once confidential becomes readable.

Willow's advances show quantum hardware is progressing faster than many expected. While a universally capable, fault-tolerant quantum computer that breaks RSA at scale remains a technical challenge, the pace of progress makes the harvest-now approach a realistic strategy for adversaries targeting high-value information.

Why Smart Homes Are a High-Value Target

Smart homes generate and transmit a continuous stream of sensitive data: door unlock logs, camera footage, audio clips, geolocation, and user credentials. Key reasons your home is attractive to attackers:

• Longevity: Devices are kept for years (often 5–10+ years), increasing the window for future decryption.
• Cloud dependence: Many devices rely on cloud services for authentication and backup, which often use public-key cryptography vulnerable to future quantum attacks.
• Central keys: Providers may hold encryption keys, so a breach or weak key exchange can expose many users.

Concrete Risks to Common Devices

Smart Locks

Smart locks typically use a combination of symmetric encryption for ongoing communications and public-key cryptography for provisioning, cloud authentication and OTA updates. If an attacker records the provisioning or key exchange today, they might later use quantum techniques to recover private keys and create valid signatures or authentication tokens — effectively allowing remote unlocking or cloning of access credentials.

Home Cameras and Doorbells

Cameras stream video over TLS and often store clips in cloud backups. If that stream or the backup encryption relies on RSA/ECC to establish session keys or to protect backups, recorded traffic could be harvested. In the future, decrypted footage could reveal when you’re home, who visited, or sensitive domestic scenes.

Cloud Backups and Account Recovery

Cloud backups of snapshots, logs and device configurations can be treasure troves. Many services encrypt backups at rest with keys managed by the provider; if those keys were derived or wrapped using vulnerable public-key algorithms, harvested data is at risk.

How Far Off Is the Threat?

There’s no single date when all encryption will suddenly fail. Practical breaking of widely used public-key systems requires large numbers of logical qubits and robust error correction. However, Willow and similar milestones show momentum. The realistic takeaway: high-value targets should assume harvest-now is possible and take steps to reduce long-term exposure.

Practical, Actionable Steps Homeowners and Renters Can Take Now

Here are prioritized, concrete actions you can implement this weekend to reduce your smart home’s exposure to harvest-now attacks.

1. Inventory devices and how they connect

   Make a list of all smart devices (locks, cameras, thermostats, smart TVs, hubs). For each, note whether it supports local-only operation, requires cloud accounts, and how updates are delivered. This helps determine which devices are most at risk.

2. Enable end-to-end encryption (E2EE) when available

   Prefer vendors that offer true E2EE where only you hold the keys. E2EE prevents providers from being able to decrypt your content even if they are compromised later. If your camera or lock supports ‹local› keys or device-managed keys, enable that mode.

3. Turn off unnecessary cloud backups or use customer-held keys

   If your cloud backup can be disabled or changed to client-side encryption (where you retain the keys), do that. Store recovery keys offline in a secure location (paper, hardware token). If you must use provider backup, use long passphrases and multi-factor authentication to guard the account.

4. Keep firmware and apps up to date — and check vendors’ PQ plans

   Regular updates patch current vulnerabilities. Additionally, look for vendor statements about post-quantum upgrades or NIST-aligned plans for encryption post-quantum. Vendors who publish security roadmaps are more likely to support future-proofing.

5. Use strong symmetric encryption and long keys where offered

   Symmetric algorithms (like AES) are more resilient to quantum attacks: Grover’s algorithm only halves their effective strength. Use AES-256 or equivalent where configurable. For VPNs and disk encryption, prefer 256-bit symmetric keys.

6. Segment your network

   Put IoT devices on a separate VLAN or guest Wi‑Fi. This prevents lateral movement if a device is compromised and limits the impact of harvested traffic within your local network.

7. Use hardware-backed authentication and MFA

   Enable multi-factor authentication on cloud accounts managing devices. Use hardware security keys (FIDO2) when possible; these reduce risk from credential theft and make harvested account data less useful.

8. Prefer local control and hubs for renters

   If you rent, you may have limits on modifying the property. Use a local smart hub (Home Assistant, dedicated bridge) or a secure local router that can keep device traffic on-premises, encrypt it locally and reduce reliance on the vendor cloud.

9. Rotate keys and credentials periodically

   Where possible, rotate keys and change passwords. That reduces the value of intercepted data if attackers cannot immediately decrypt it.

10. Monitor logs and network traffic

    Set up simple alerts for unusual device behaviour (failed auth attempts, off-hours access). Tools like router-level DNS filtering, local logging, or cloud alerts from vendors help identify suspicious activity early.

Buying and Upgrading: Questions to Ask Device Makers

When you buy a smart lock, camera or any new gadget, ask the vendor:

• Do you support end-to-end encryption and customer-held keys?
• Which cryptographic algorithms and key lengths are used for device provisioning and backups?
• Do you have a post-quantum migration plan aligned with NIST recommendations?
• How do you deliver and sign firmware updates?
• How long will devices receive security updates?

Vendors with clear, published answers are safer long-term choices for future-proofing devices.

What About Post-Quantum Encryption (PQC)?

NIST has selected candidate post-quantum algorithms and standards are emerging. Transition to PQC across the internet will take years — but it is happening. Homeowners should:

• Watch for vendor updates that mention NIST-approved PQC algorithms or hybrid schemes (classical + PQC)
• Prefer services that offer hybrid key exchanges now — these combine classical and PQC keys to protect against both present and future threats

Special Advice for Renters

Renters often can’t replace built-in systems or change wiring, but you still have options:

• Use portable, local-control devices (battery smart locks, local NVRs for cameras) that don’t rely on landlord systems.
• Run your own router or a secure travel router that creates VLANs and blocks direct cloud access for insecure devices.
• Use add-on encryption for backups — e.g., an encrypted USB drive for camera exports rather than cloud storage.

Final Practical Checklist (What to Do This Week)

1. List all smart devices and mark cloud-dependent ones.
2. Enable E2EE or client-side encryption where possible.
3. Disable unnecessary cloud backups or move to customer-keyed backups.
4. Update firmware and enable MFA on vendor accounts.
5. Segment IoT devices on a guest network.
6. Consider a local hub or secure router to keep traffic off vendor clouds.

Where to Go from Here

Quantum computing (illustrated by development systems like Willow) is accelerating conversation about long-term security. But for most homeowners the next step is pragmatic: reduce how much sensitive encrypted material you expose today, prefer vendors with clear PQC roadmaps, and adopt local-control practices where possible.

For help designing a secure smart home layout that minimises cloud exposure, see our guide How to Create a Smart Home Setup for Enhanced Security. If you’re troubleshooting device behaviour while tightening security, our device troubleshooting guide is a practical next step.

Quantum won’t break everything overnight. But the harvest-now, decrypt-later model means homeowners who act today — through inventory, encryption choices, network segmentation and vendor selection — will be far better protected as post-quantum realities arrive.