Matter, the New IoT Standard: A Look at the Future of Consumer IoT Device Interoperability & Security
1 Star2 Stars3 Stars4 Stars5 Stars (2 votes, average: 5.00 out of 5)
Loading...

Matter, the New IoT Standard: A Look at the Future of Consumer IoT Device Interoperability & Security

90% of consumers aren’t confident about the security of their IoT devices. Frankly, who can blame them? IoT devices have a long history of exploitable weaknesses and security issues. Matter, a new industry standard backed by Amazon, Google, and other industry titans, aims to change that once and for all

Editor’s Note: This is the first in a set of articles on Matter (or what’s also sometimes called the Matter IoT standard, Project Matter, Matter Protocol, and Matter Smart Home standard). Stay tuned in the coming weeks to learn more about the new industry standard that’s poised to revolutionize the IoT industry.

IoT home devices aim to make consumers’ lives easier — the whole point of having an Alexa or other “smart” devices is to simplify tasks and improve your life. But if a device doesn’t work with other devices in your home, is cumbersome to use or leaves your home network vulnerable to cyber attacks, it achieves the opposite — adding problems and security risks to your life.

That’s exactly why Google, Amazon, Apple, and other IoT giants have created the Matter protocol. This new universal standard is designed to make it easier to connect and set up IoT devices, while also ensuring that every device is properly secured against potential attacks. It’s a standard that’s going to start with IoT smart devices for the home and it’s expected to launch this fall (just in time for Matter-certified devices to hit the shelves in time for the 2022 holiday season).

But what exactly is Project Matter? Let’s take a deeper look at the Matter IoT standard and why we think it will revolutionize the connected device industry.

Let’s hash it out.

What Is the Matter IoT Standard? A Look at the New Matter Protocol

Matter (sometimes called the Matter Protocol or other similar names) is a new standard for the IoT industry that’s designed to make IoT devices:

  • Easier to connect to each other regardless of who the device manufacturer is and what controller is being used.
  • More secure against cyber attacks.

Matter was created by the Connectivity Standards Alliance (CSA), the group behind the industry’s existing Zigbee standard — which is the standard for low-cost, low-power wireless network technology for IoT devices.

For our readers who are familiar with the TLS/SSL industry, you can think of CSA as the IoT industry’s version of the CA/Browser Forum. (The CA/B Forum is the collaborative governing body for standards relating to public key infrastructure [PKI] and website security. It’s made up of certificate authorities and browsers).

Formerly known as Project Connected Home Over IP (CHIP), Matter is an IP-based, open-source IoT security standard that aims to help manufacturers create secure and reliable smart home devices that are universally interoperable with customer ecosystems. Phew, that’s a mouthful, but what this means is that you can easily connect Matter-compatible devices to each other, even if they’re made by different manufacturers.

For example, your smart home controller, smartphone, smart thermostat and lighting systems could all be connected together, even if they were all different brands. (Just like how you can connect any Bluetooth compatible devices to your computer, phone, or even your car no matter where you buy the Bluetooth-enabled devices from.)

Matter, as an application layer protocol, is all about enabling devices and systems to communicate. It’s a standard that’s founded on several key security, usability, and compatibility considerations:

  • Making devices more secure and resilient without sacrificing usability. The idea here is that by creating a standard, manufacturers will be better equipped to ensure that they cross their T’s and dot their I’s when it comes to security. This includes providing a way to ensure secure boot and device software updates (you know, since update shave been an ongoing issue with IoT devices for years…). But just because you make something more secure doesn’t mean you have to make it more cumbersome to use…
  • Ensuring devices are easy for consumers to use right off the bat. Customers buy smart devices for the convenience they afford. If your set up or operational processes are cumbersome or unintuitive, or if they aren’t compatible or don’t communicate with other manufacturers’ devices, then it’s going to create a lousy experience for users. And security has to work by default — most users won’t take extra steps to secure their devices.

Who Is Involved in Matter?

As of the time this article was written, the CSA website says that Matter is made up of more than 500 major players around the world, including 28 promoters, 269 participants, and 220 adopters, including:

PromotersParticipantsAdopters
AmazonArrisAccenture Global Solutions, Ltd.
AppleBelkinCisco
GoogleDigiCertD-Link Corporation
IkeaMastercardPhilips DA
Samsung SmartThingsT-MobileVodafone Group Services GmbH

All in all, CSA reports having more than 3,000 member representatives globally from all facets of the supply chain that are involved in the Matter IoT standard. That’s a whole lot of collaboration between organizations globally and speaks volumes to the importance of Matter as a new industry standard.

There are a lot of great ideas out there that never quite get enough momentum to “take off” like they deserve to. Clearly, that is not the case with Matter, which already has the industry backing and momentum for takeoff — for example, with Google, Apple, and Amazon on board, it means that 99% of smart home speakers will be part of the Matter initiative.

Why the IoT Industry Needs a Universal Standard

It’s no secret that the consumer IoT market is booming. Data from ResearchAndMarket.com shows that the market’s estimated value in 2022 is $95.06 billion. The industry is anticipated to enjoy a 17.45% compound annual growth rate (CAGR) that will help it reach an estimated $212.45 billion by 2027.

IDC predicts that more than 55.7 billion IoT devices will connect to the internet globally by 2025. I mean, we’re talking about massive quantities of data being generated daily — all of which need to be secured. And if all devices and systems are doing their own thing, not adhering to the same standards and processes, then you’re bound to run into issues where that data is less than secure. It only takes one insecure device in a home and a hacker could take over the entire network. This is where designing your products to meet specific industry-wide standards can be a gamechanger.

Another grave concern is the threat of counterfeit or fraudulent devices being sold as legitimate. We’ve already seen examples of counterfeits in the medical industry. Counterfeit IoT devices come with a litany of risks:

  • Invalid software licenses,
  • Fraudulent or malicious software,
  • Poor security, and
  • No updates, patches and little to no support from manufacturers.

A report by Which? (conducted in collaboration with the Global Cyber Alliance [GSA] and NCC Group) shows that smart home devices are targeted on a massive scale — a test they ran using a fake smart home received 12,000 hacking attempts in one week, including 2,435 attempts to log in using weak default username-password combinations (that’s basically 14 attempts per hour using weak login credentials, or approximately one attempt every four minutes). Which? also estimates that 97% of IoT-targeting attacks are done with the goal of adding the devices to the Mirai botnet, which can then be used to carry out attacks on organizations globally.

Matter Aims to Make Stronger Security by Eliminating Smart Home Device Shortcomings

A universal protocol like Matter is an open-source alternative to traditional proprietary systems that helps make companies more transparent and accountable. You see, traditional IoT devices are largely egocentric by design; they often:

  • Use their own specific languages, software, or hardware,
  • Don’t tell you much about what they are (or aren’t) doing for security,
  • Require specific (and potentially rigorous) setup activities, and
  • Don’t “play well with others” — i.e., lack interoperability with other systems, devices, and platforms.

Think of various electronic devices you’ve owned over the years that had proprietary charging cables that fit only those devices and nothing else. Not only were they cumbersome because you have to have that exact cable readily available when needed, but you also couldn’t just pop over to the store to buy a new one when you lost or broke the original. This isn’t convenient, nor does it promote the good user experience that’s central to smart devices. 

Using these insulated devices as an average user is like traveling to another country where you don’t speak the language and don’t have a translation book or app with you. You’re going to run into a lot of issues and may not be able to accomplish what you want or need to do because of communication issues. The Matter protocol in this scenario would be kind of like having the Star Trek universal translator in the sense that you’d be able to communicate with everyone, everywhere. (And by “you,” we mean your IoT devices would be able to communicate with other devices and cloud applications.)

Customers Want Things to Be Easier — Standardization Helps You Achieve That

By creating devices that meet universal standards, you can avoid these pitfalls and focus more on innovation and accessibility. This means you can focus on what matters most: creating solutions that meet your customers’ needs. You’re also better meet the needs and desires of your customers — creating devices that “just work” and connect with other manufacturers’ devices straight out of the box, without any complications or unnecessary extra steps.

Why Device Manufacturers Should Get the Matter Certification for Their Devices

Wondering what the advantage of making your devices Matter IoT Standard compliant is for you as a manufacturer? The answer will vary a bit depending on whom you ask and the type of IoT project you’re working on. But in general, using the Matter protocol helps you:

  • Increase the interoperability of your device. Due to the adoption of universal standards, your device will be compatible with major consumer ecosystems regardless of their manufacturers and device types.
  • Simplify setup and related processes for customers. Users don’t want to deal with complicated or cumbersome processes. They want to take your device out of the box and have it ready to go with the least amount of effort possible.
  • Improve your brand reputation with consumers. By enabling your devices to work right off the bat, you’ll make things easier for users who want to include your device in their smart homes. So even if your customers don’t realize that your device is Matter compliant, they’ll remember that it only took them 30 seconds to set up and connect with their other devices.
  • Save time and money on development. Building on the previous talking point, being Matter compliant means you can cut costs. How? By not having to spend all of the extra time and money developing systems that are compatible with individual consumer systems. Building with universal standards in mind streamlines your processes and eliminates issues within the development lifecycle.
  • Shift your focus to innovation and creative problem solving. If you no longer have to focus as much on compatibility-related concerns, it frees you (or your team) up to focus on exercising your creative muscles.
  • Gain greater reliability via open-source capabilities. The idea here is that because more eyes will be on it, you’re more likely for people to discover and quickly address security-related issues. Of course, there is the drawback of bad guys finding vulnerabilities to exploit. But that can happen regardless of whether something is open source.
  • Improve your bottom line. Data from a 2022 study by PSA Certified shows that 96% of manufacturer survey respondents indicate that they believe products equipped with security positively affect their revenue numbers.

Simply put, there’s definitely something to be said for universal standardization. By adopting a universal IoT standard like Matter, you’ll eliminate many of the inoperability issues by creating a system that communicates easily with others.

The Matter IoT Standard aims to make it so that you can enable local connectivity for your devices without having to build multiple versions or connectors to work with different consumer ecosystems (and without having to rely on cloud services or third-party apps). It’s all about creating universality by making smart devices application- and system agnostic. This way, all devices can connect regardless of which manufacturer created them.

If you’re looking for another reason why you want to make your products Matter certified, then consider this from the same PSA Certified report: 70% of survey respondents recognize the value of security credentials on products. This is why having one industry-leading standard that all manufacturers adhere to would benefit users and IoT manufacturers alike.

Matter Relies on PKI to Improve Data Security and Privacy

One of the big takeaways for IoT developers is that Matter uses public key cryptography as the foundation of its security. Matter certified devices must have a way to securely prove the identity of the device and its manufacturer. This involves the use of new special PKI digital certificates called device attestation certificates (DACs) and their corresponding attestation keypairs. (Yes, we can help you get Matter PKI certificates for your devices.)

Essentially, Matter-certified IoT devices will use X.509 certificates to assert your organization’s digital identity and use that to make secure node-to-node (i.e., device to device) and device-to-cloud communications a reality. Not sure what X.509 certificates are? Some common examples of X.509 certificates include SSL/TLS certificates, code signing certificates, and email signing certificates.

Much like SSL/TLS certificates, Matter IoT device certificates are typically issued by a trusted third-party certificate authority (CA). In this case, DigiCert is the only CA that has announced the ability to issue these certificates. (An IoT manufacturer could create their own root CA and submit it to Matter, but that would require significantly more time, energy, and expense, as well as ongoing audit and management requirements.)

But what does the PKI architecture look like for Matter? The hierarchy for this approach to IoT digital trust looks similar to the chain of trust for traditional PKI architecture (such as for SSL/TLS certificates), which you’ll see momentarily.  

  • DigiCert issues a self-signed root certificate. This is used as the foundation of trust for all Matter IoT certificates.
  • Product attestation intermediate (PAI) CAs are issued from the root CA. This is the IoT digital trust equivalent of the intermediate CAs for SSL/TLS certificates. Unlike public SSL/TLS certs, you can’t get DACs issued from generic, DigiCert-owned ICAs. Each IoT manufacturer will have one (or more) PAIs that are dedicated to them.
  • Device certificates are issued by the PAIs. These are the certificates that are issued to your devices or other IoT software components.

The hierarchy for this approach to digital trust looks a little different:

A basic diagram that illustrates the Matter PKI chain of trust, which includes the product attestation authority (PAA) at the top, the product attestation intermediate (PAI) in the middle, and device attestation certificates (DACs) at the bottom.
Image caption: A basic overview diagram that illustrates how the PKI architecture will look for the new Matter IoT standard. It’s similar to how a PKI architecture looks — from the root CA at the top (called a product attestation authority) to the intermediate CA (middle, called a product attestation intermediate CA) to the bottom device or website certificate (called a device attestation certificate).

A Quick Look at Matter’s Cryptographic Requirements

According to the CSA website, there’s one cryptographic suite that Matter uses:

“AES in CCM mode is used for confidentiality and integrity with 128 bit keys. AES in CTR mode is used for protecting identifiers to preserve privacy. SHA-256 is used for integrity and ECC with the “secp256r1” curve for digital signatures and key exchanges, standard key derivation schemes and truly random number generators.”

AES, or the Advanced Encryption Standard, is a symmetric encryption algorithm (i.e., bulk encryption cipher) that uses a single key to encrypt and decrypt data. The two modes mentioned — counter with CBC-MAC (CCM) and counter mode (CTR) — refer to modes of operation, meaning the way that data gets processed. CCM is actually a combination of CTR mode and the cipher block chaining-message authentication code. (We’re not going to dive into this stuff today — check out the links embedded in this paragraph to learn more about AES and the two operational modes.)

Okay, that last paragraph may leave you feeling a little unclear about what all of that means. Basically, gist of it is that the cipher suite used is highly tested and considered secure.

SHA, which stands for the secure hash algorithm, is a way to ensure data integrity. This is useful in a variety of processes, including:

  • Creating and verifying digital signatures for attestation, and
  • Generating strong, secure cryptographic keypairs.

But what about key generation? Matter also specifies that elliptic curve cryptography (ECC) should be used for public key generation purposes. Furthermore, it specifies that the elliptic curve digital signature algorithm (ECDSA) should be used for creating and verifying digital signatures.

Matter Also Integrates Hardware-Based Integrity Attestation

Another facet of Matter security is the use of hardware-based attestation capabilities as well. For example, using secure boot enables you to ensure that a device will not start up if it or its firmware has been altered in any way. This involves the use of cryptographic modules (e.g., trusted platform modules, or TPMs) that must be installed on Matter-certified devices.

These modules are small chips that come installed in many modern devices. They’re responsible for providing assurances that your device or the firmware installed on it hasn’t had any unauthorized modifications or alterations. They’re isolated environments (i.e., separate from your device’s CPUs) that are used to handle the cryptographic operations that occur within the device as well as for storing certificates and keys.

What Types of Devices Can Be Matter IoT Compliant?

Oh, geez. We don’t have enough time in the day to list all of the smart home devices that can use the Matter protocol — that’s just a rabbit hole we don’t need to go down. So, let’s just quickly cover a handful of Matter smart home device types that will be eligible to receive the certification:

  • Smart HVAC systems and controllers
  • Smart monitoring systems, meters, alarms and sensors
  • Connected access controllers and devices
  • Network and IT systems
  • Lighting devices, controls and bulbs
  • Blinds and shades
  • IoT safety and security devices
  • Smart window coverings (i.e., shades and blinds)

Major manufacturers like Google and Amazon are going all-in on their Matter supporting efforts:

A screenshot of Google's Matter-related page for developers
Image caption: A screenshot from Google’s Matter website.
A screenshot of Amazon's Matter-related page for Alexa developers
Image caption: A screenshot of the Amazon website that encourages developers to adopt Matter.

Furthermore, Google and Amazon are encouraging device developers to make their products Matter compliant so that they’re interoperable with their smart speakers.

An Overview of How to Get Matter Certification for Your Product(s)

Want the Matter smart home certification for your IoT products? Great! You’ll be happy to know that it’s a fairly straightforward process:

  1. Develop a great, secure product. This one should be a no brainer, but you’d be surprised what passes for IoT device security today.
  2. Add the software and features for Matter support onto your device. Matter has a GitHub repository with code you can use.
  3. Become a member of the Connectivity Standards Alliance. There are four levels to choose from — Associate, Adopter, Participant, and Promoter — and each offers different benefits and has different membership fees.
  4. Undergo product testing by an authorized test provider. You’ll also need to pay for the application and testing fees (which vary by testing provider and product).
  5. Apply for your certification. This vital step is what enables your product to receive its certificate stamp of approval (and gives you the authority to use the Certified Product logo).
  6. Receive your 10-year certificate and slap a Matter Certified Product logo on that bad boy. Once you receive your certification, your product will be included in the CSA’s Certified Products database (which currently lists more than 4,000 Alliance certified products and compliant platforms). You’ll also get to show off by displaying the Certified Product label on your packaging that helps your device stand out.

Of course, there are more specifics involved — how the certificates are issued and managed. We aren’t going to get into all of that here. That’s a topic for another time. Stay tuned for an article that will dive into all of that in the coming weeks. But what we can tell you is that DigiCert is the only certificate authority that can help you set up everything you need to issue IoT certificates for your devices.

Final Thoughts on Project Matter and the New Matter IoT Standard

We hope that this article has been enlightening. Our goal at Hashed Out is to help you stay abreast of industry changes and news. The Matter IoT standard stands to serve as a breath of fresh air in an industry that’s long been plagued with security issues.

Of course, it’s going to be interesting to see how all of this pans out over the next several months and years. From what I can tell, it’s being rolled out properly and enough big-name manufacturers are supporting its adoption, so this new protocol looks like a shoo-in for becoming a universal standard much like:

  • Public key infrastructure
  • Wi-Fi
  • Bluetooth
  • Trusted security modules (TPMs)

Of course, we here at Hashed Out can’t predict the future. But all signs are absolutely pointing towards Matter mattering by becoming as ubiquitous as Bluetooth and USB. Suffice to say, we’re excited about watching this enlightened industry move pan out and quickly become the ubiquitous standard for IoT beyond smart home devices.

Stay tuned for another article here in the next few weeks that talks more about PKI’s role in Matter compliance in the form of digital certificates and certificate lifecycle management.   

3 comments
  • Casey, thank you again for another really informative article. For those of us with a full home of IoT devices, will the manufacturers be able to roll out firmware updates to implement Matter on existing hardware, or are we looking at a hefty investment in newer versions of what we have? Michael

    • Hi, Michael!

      Thanks for reaching out! I’m glad you liked the article and found it informative. (If you can’t tell, we’re pretty stoked about what Matter is potentially capable of achieving.)

      To answer your question: Yes. We’ve heard of several manufacturers who are planning to roll out Matter support to their existing devices that are already in the field.

  • Thank you for the intersting article. Unfortunatlely I’m not convinced by Matter.

    “SHA-256 is used for integrity and ECC with the “secp256r1” curve for digital signatures and key exchanges, standard key derivation schemes and truly random number generators.”

    Why did they choose an ECC curve which is considered highly suspicious and even insecure by security experts? secp256r1 is identical to NIST P-256 which has been evaluated as unsafe and not secure by the researchers Daniel J. Bernstein and Tanja Lange. Have a look at https://safecurves.cr.yp.to/ for more information. They should have chosen instead Curve25519 which is a highly secure and proven curve.

    “Furthermore, it specifies that the elliptic curve digital signature algorithm (ECDSA) should be used for creating and verifying digital signatures.”

    Why did they choose ECDSA which is known for being nearly impossible to implement safe in regard to side channel attacks? They should have chosen instead EdDSA which is a much more secure and therefore better choice.

    It’s really sad to see that such unwise choices have been made for a new security standard for IoT devices. It could have been much better than that.

Leave a Reply

Your email address will not be published. We will only use your email address to respond to your comment and/or notify you of responses. Required fields are marked *

Captcha *

Author

Casey Crane

Casey Crane is a regular contributor to (and managing editor of) Hashed Out with 15+ years of experience in journalism and writing, including crime analysis and IT security. Casey also serves as the Content Manager at The SSL Store.