The Technology Review article is confusing, but I can try to summarize.
Quantum key distribution (QKD) promises security based on the laws of quantum physics, and not on computational assumptions. However, in practice, QKD experiments have been attacked through side channels. One possible side channel comes from a malicious manufacturer. Side-channel attacks also affect classical cryptography, of course, but might be more important for QKD because:
1. Quantum devices are harder to build and test, and less understood, than classical devices, so side-channel attacks might be easier, at least for now.
2. The goal of QKD has always been to reach higher security than is possible classically.
"Device-independent" (DI) QKD solves this problem. DIQKD allows for extracting a secure key even if the crypto devices are manufactured by your enemy. This should be hard to believe; it is completely impossible classically. It is very cool that it is (probably) possible quantumly.
I say "probably" because full DIQKD security proofs do not yet exist; giving a full proof is a major open problem in the field. From the perspective of people in the field, the next step in the DIQKD roadmap would be to deploy a DIQKD experiment. Although standard QKD schemes are even commercially available these days, deploying a DIQKD scheme is another major open problem because the schemes proposed currently are far too inefficient to be practical and require noise rates below current photon detector technology.
The new paper says that we should reconsider this roadmap. Even if we are able to give a DIQKD security proof, there is still a problem, because when you reuse untrusted devices they can leak previously generated keys. I don't have a lot of time to explain this and don't know that it is an especially novel observation. It can probably be worked around with more sophisticated key-generation methods. But that's essentially the current status.
Quantum key distribution (QKD) promises security based on the laws of quantum physics, and not on computational assumptions. However, in practice, QKD experiments have been attacked through side channels. One possible side channel comes from a malicious manufacturer. Side-channel attacks also affect classical cryptography, of course, but might be more important for QKD because:
1. Quantum devices are harder to build and test, and less understood, than classical devices, so side-channel attacks might be easier, at least for now.
2. The goal of QKD has always been to reach higher security than is possible classically.
"Device-independent" (DI) QKD solves this problem. DIQKD allows for extracting a secure key even if the crypto devices are manufactured by your enemy. This should be hard to believe; it is completely impossible classically. It is very cool that it is (probably) possible quantumly.
I say "probably" because full DIQKD security proofs do not yet exist; giving a full proof is a major open problem in the field. From the perspective of people in the field, the next step in the DIQKD roadmap would be to deploy a DIQKD experiment. Although standard QKD schemes are even commercially available these days, deploying a DIQKD scheme is another major open problem because the schemes proposed currently are far too inefficient to be practical and require noise rates below current photon detector technology.
The new paper says that we should reconsider this roadmap. Even if we are able to give a DIQKD security proof, there is still a problem, because when you reuse untrusted devices they can leak previously generated keys. I don't have a lot of time to explain this and don't know that it is an especially novel observation. It can probably be worked around with more sophisticated key-generation methods. But that's essentially the current status.