The most informative cyber security blog on the internet!
Editor’s Note: This is the first in a set of articles on Matter (or what’s also sometimes called the Matter IoT standard, Project Matter, Matter Protocol, and Matter Smart Home standard). Stay tuned in the coming weeks to learn more about the new industry standard that’s poised to revolutionize the IoT industry.
IoT home devices aim to make consumers’ lives easier — the whole point of having an Alexa or other “smart” devices is to simplify tasks and improve your life. But if a device doesn’t work with other devices in your home, is cumbersome to use or leaves your home network vulnerable to cyber attacks, it achieves the opposite — adding problems and security risks to your life.
That’s exactly why Google, Amazon, Apple, and other IoT giants have created the Matter protocol. This new universal standard is designed to make it easier to connect and set up IoT devices, while also ensuring that every device is properly secured against potential attacks. It’s a standard that’s going to start with IoT smart devices for the home and it’s expected to launch this fall (just in time for Matter-certified devices to hit the shelves in time for the 2022 holiday season).
But what exactly is Project Matter? Let’s take a deeper look at the Matter IoT standard and why we think it will revolutionize the connected device industry.
Let’s hash it out.
Matter (sometimes called the Matter Protocol or other similar names) is a new standard for the IoT industry that’s designed to make IoT devices:
Matter was created by the Connectivity Standards Alliance (CSA), the group behind the industry’s existing Zigbee standard — which is the standard for low-cost, low-power wireless network technology for IoT devices.
For our readers who are familiar with the TLS/SSL industry, you can think of CSA as the IoT industry’s version of the CA/Browser Forum. (The CA/B Forum is the collaborative governing body for standards relating to public key infrastructure [PKI] and website security. It’s made up of certificate authorities and browsers).
Formerly known as Project Connected Home Over IP (CHIP), Matter is an IP-based, open-source IoT security standard that aims to help manufacturers create secure and reliable smart home devices that are universally interoperable with customer ecosystems. Phew, that’s a mouthful, but what this means is that you can easily connect Matter-compatible devices to each other, even if they’re made by different manufacturers.
For example, your smart home controller, smartphone, smart thermostat and lighting systems could all be connected together, even if they were all different brands. (Just like how you can connect any Bluetooth compatible devices to your computer, phone, or even your car no matter where you buy the Bluetooth-enabled devices from.)
Matter, as an application layer protocol, is all about enabling devices and systems to communicate. It’s a standard that’s founded on several key security, usability, and compatibility considerations:
As of the time this article was written, the CSA website says that Matter is made up of more than 500 major players around the world, including 28 promoters, 269 participants, and 220 adopters, including:
All in all, CSA reports having more than 3,000 member representatives globally from all facets of the supply chain that are involved in the Matter IoT standard. That’s a whole lot of collaboration between organizations globally and speaks volumes to the importance of Matter as a new industry standard.
There are a lot of great ideas out there that never quite get enough momentum to “take off” like they deserve to. Clearly, that is not the case with Matter, which already has the industry backing and momentum for takeoff — for example, with Google, Apple, and Amazon on board, it means that 99% of smart home speakers will be part of the Matter initiative.
It’s no secret that the consumer IoT market is booming. Data from ResearchAndMarket.com shows that the market’s estimated value in 2022 is $95.06 billion. The industry is anticipated to enjoy a 17.45% compound annual growth rate (CAGR) that will help it reach an estimated $212.45 billion by 2027.
IDC predicts that more than 55.7 billion IoT devices will connect to the internet globally by 2025. I mean, we’re talking about massive quantities of data being generated daily — all of which need to be secured. And if all devices and systems are doing their own thing, not adhering to the same standards and processes, then you’re bound to run into issues where that data is less than secure. It only takes one insecure device in a home and a hacker could take over the entire network. This is where designing your products to meet specific industry-wide standards can be a gamechanger.
Another grave concern is the threat of counterfeit or fraudulent devices being sold as legitimate. We’ve already seen examples of counterfeits in the medical industry. Counterfeit IoT devices come with a litany of risks:
A report by Which? (conducted in collaboration with the Global Cyber Alliance [GSA] and NCC Group) shows that smart home devices are targeted on a massive scale — a test they ran using a fake smart home received 12,000 hacking attempts in one week, including 2,435 attempts to log in using weak default username-password combinations (that’s basically 14 attempts per hour using weak login credentials, or approximately one attempt every four minutes). Which? also estimates that 97% of IoT-targeting attacks are done with the goal of adding the devices to the Mirai botnet, which can then be used to carry out attacks on organizations globally.
A universal protocol like Matter is an open-source alternative to traditional proprietary systems that helps make companies more transparent and accountable. You see, traditional IoT devices are largely egocentric by design; they often:
Think of various electronic devices you’ve owned over the years that had proprietary charging cables that fit only those devices and nothing else. Not only were they cumbersome because you have to have that exact cable readily available when needed, but you also couldn’t just pop over to the store to buy a new one when you lost or broke the original. This isn’t convenient, nor does it promote the good user experience that’s central to smart devices.
Using these insulated devices as an average user is like traveling to another country where you don’t speak the language and don’t have a translation book or app with you. You’re going to run into a lot of issues and may not be able to accomplish what you want or need to do because of communication issues. The Matter protocol in this scenario would be kind of like having the Star Trek universal translator in the sense that you’d be able to communicate with everyone, everywhere. (And by “you,” we mean your IoT devices would be able to communicate with other devices and cloud applications.)
By creating devices that meet universal standards, you can avoid these pitfalls and focus more on innovation and accessibility. This means you can focus on what matters most: creating solutions that meet your customers’ needs. You’re also better meet the needs and desires of your customers — creating devices that “just work” and connect with other manufacturers’ devices straight out of the box, without any complications or unnecessary extra steps.
Wondering what the advantage of making your devices Matter IoT Standard compliant is for you as a manufacturer? The answer will vary a bit depending on whom you ask and the type of IoT project you’re working on. But in general, using the Matter protocol helps you:
Simply put, there’s definitely something to be said for universal standardization. By adopting a universal IoT standard like Matter, you’ll eliminate many of the inoperability issues by creating a system that communicates easily with others.
The Matter IoT Standard aims to make it so that you can enable local connectivity for your devices without having to build multiple versions or connectors to work with different consumer ecosystems (and without having to rely on cloud services or third-party apps). It’s all about creating universality by making smart devices application- and system agnostic. This way, all devices can connect regardless of which manufacturer created them.
If you’re looking for another reason why you want to make your products Matter certified, then consider this from the same PSA Certified report: 70% of survey respondents recognize the value of security credentials on products. This is why having one industry-leading standard that all manufacturers adhere to would benefit users and IoT manufacturers alike.
One of the big takeaways for IoT developers is that Matter uses public key cryptography as the foundation of its security. Matter certified devices must have a way to securely prove the identity of the device and its manufacturer. This involves the use of new special PKI digital certificates called device attestation certificates (DACs) and their corresponding attestation keypairs. (Yes, we can help you get Matter PKI certificates for your devices.)
Essentially, Matter-certified IoT devices will use X.509 certificates to assert your organization’s digital identity and use that to make secure node-to-node (i.e., device to device) and device-to-cloud communications a reality. Not sure what X.509 certificates are? Some common examples of X.509 certificates include SSL/TLS certificates, code signing certificates, and email signing certificates.
Much like SSL/TLS certificates, Matter IoT device certificates are typically issued by a trusted third-party certificate authority (CA). In this case, DigiCert is the only CA that has announced the ability to issue these certificates. (An IoT manufacturer could create their own root CA and submit it to Matter, but that would require significantly more time, energy, and expense, as well as ongoing audit and management requirements.)
But what does the PKI architecture look like for Matter? The hierarchy for this approach to IoT digital trust looks similar to the chain of trust for traditional PKI architecture (such as for SSL/TLS certificates), which you’ll see momentarily.
The hierarchy for this approach to digital trust looks a little different:
According to the CSA website, there’s one cryptographic suite that Matter uses:
“AES in CCM mode is used for confidentiality and integrity with 128 bit keys. AES in CTR mode is used for protecting identifiers to preserve privacy. SHA-256 is used for integrity and ECC with the “secp256r1” curve for digital signatures and key exchanges, standard key derivation schemes and truly random number generators.”
AES, or the Advanced Encryption Standard, is a symmetric encryption algorithm (i.e., bulk encryption cipher) that uses a single key to encrypt and decrypt data. The two modes mentioned — counter with CBC-MAC (CCM) and counter mode (CTR) — refer to modes of operation, meaning the way that data gets processed. CCM is actually a combination of CTR mode and the cipher block chaining-message authentication code. (We’re not going to dive into this stuff today — check out the links embedded in this paragraph to learn more about AES and the two operational modes.)
Okay, that last paragraph may leave you feeling a little unclear about what all of that means. Basically, gist of it is that the cipher suite used is highly tested and considered secure.
SHA, which stands for the secure hash algorithm, is a way to ensure data integrity. This is useful in a variety of processes, including:
But what about key generation? Matter also specifies that elliptic curve cryptography (ECC) should be used for public key generation purposes. Furthermore, it specifies that the elliptic curve digital signature algorithm (ECDSA) should be used for creating and verifying digital signatures.
Another facet of Matter security is the use of hardware-based attestation capabilities as well. For example, using secure boot enables you to ensure that a device will not start up if it or its firmware has been altered in any way. This involves the use of cryptographic modules (e.g., trusted platform modules, or TPMs) that must be installed on Matter-certified devices.
These modules are small chips that come installed in many modern devices. They’re responsible for providing assurances that your device or the firmware installed on it hasn’t had any unauthorized modifications or alterations. They’re isolated environments (i.e., separate from your device’s CPUs) that are used to handle the cryptographic operations that occur within the device as well as for storing certificates and keys.
Oh, geez. We don’t have enough time in the day to list all of the smart home devices that can use the Matter protocol — that’s just a rabbit hole we don’t need to go down. So, let’s just quickly cover a handful of Matter smart home device types that will be eligible to receive the certification:
Major manufacturers like Google and Amazon are going all-in on their Matter supporting efforts:
Furthermore, Google and Amazon are encouraging device developers to make their products Matter compliant so that they’re interoperable with their smart speakers.
Want the Matter smart home certification for your IoT products? Great! You’ll be happy to know that it’s a fairly straightforward process:
Of course, there are more specifics involved — how the certificates are issued and managed. We aren’t going to get into all of that here. That’s a topic for another time. Stay tuned for an article that will dive into all of that in the coming weeks. But what we can tell you is that DigiCert is the only certificate authority that can help you set up everything you need to issue IoT certificates for your devices.
We hope that this article has been enlightening. Our goal at Hashed Out is to help you stay abreast of industry changes and news. The Matter IoT standard stands to serve as a breath of fresh air in an industry that’s long been plagued with security issues.
Of course, it’s going to be interesting to see how all of this pans out over the next several months and years. From what I can tell, it’s being rolled out properly and enough big-name manufacturers are supporting its adoption, so this new protocol looks like a shoo-in for becoming a universal standard much like:
Of course, we here at Hashed Out can’t predict the future. But all signs are absolutely pointing towards Matter mattering by becoming as ubiquitous as Bluetooth and USB. Suffice to say, we’re excited about watching this enlightened industry move pan out and quickly become the ubiquitous standard for IoT beyond smart home devices.
Stay tuned for another article here in the next few weeks that talks more about PKI’s role in Matter compliance in the form of digital certificates and certificate lifecycle management.
Your email address will not be published. We will only use your email address to respond to your comment and/or notify you of responses. Required fields are marked *
Captcha *
Casey Crane is a regular contributor to (and managing editor of) Hashed Out with 15+ years of experience in journalism and writing, including crime analysis and IT security. Casey also serves as the Content Manager at The SSL Store.
Download Now
Download Now
The SSL Store™ | 146 2nd Street North #201 St. Petersburg, FL 33701 US | 727.388.1333
© 2022 The SSL Store™. A Subsidiary of DigiCert, Inc. All Rights Reserved.
