How Matter is a key step forward for cybersecurity

This story was originally published in my  Oct. 14 weekly IoT newsletter.

One of my favorite things about the Matter home interoperability protocol is that even if it doesn’t make it easy to manage my crazy complex smart home right from the beginning — or ultimately, ever — it does mandate some basic security requirements for connected devices. This is a big deal!

While there are reports that on Tuesday the White House will finally release a cybersecurityfor consumer connected devices, and while UL has had a multilevel standards program for cybersecurity since 2019, this is one of the first industry-wide security mandates that could tangibly improve cybersecurity in the home — and even on corporate networks, where consumer-grade connected devices also exist.

The Matter certification was created by big names in the smart home industry such as Amazon, Apple, Google, and Samsung, to make the smart home more interoperable and reliable. Thus, Matter devices will work with one another and be able to communicate on the home’s local network using standard data models. The standard also requires those devices to be secure.

With the official launch of the Matter specification last week, the Connectivity Standards Alliance released a massive document that describes the spec and a software development kit that implements the specification on a device. Companies are still digging through the full spec, but on the security front, here’s what Matter devices need.

The Matter standard tries to solve two big security challenges. The first is tied to the device itself, in that it determines whether or not the device is running secure software that isn’t vulnerable to hacks. The second is focused on the network, whereby it ascertains if the device is a legitimate Matter device on the network or not. Think of your home network as a posh club and Matter as a security guard that’s trying to ensure only members make it inside, and that those members have already met a particular set of criteria that means they can be trusted.

To that end, all Matter devices have to use encryption (the spec lays out that manufacturers use AES encryption, and even specifies the exact math to do that encryption based on National Institute of Standards and Technology standards). The devices only need to encrypt data between one another, not between themselves and the cloud. And it doesn’t dictate how device data gets stored in the cloud, which is a bit of a disappointment.

It also requires that Matter devices be updatable over the air. This is another basic requirement for cybersecurity since new vulnerabilities, which require patching, are found all the time. However, the Matter spec doesn’t require that vendors patch their devices, which is also disappointing.

More promising is that Matter requires code-signing. Code-signing is when developers put a certificate or seal on their code indicating they have reviewed it and verified that it is authentic code. Signed code assures users that the code was created by a valid user and hasn’t been tampered with. If a device hops onto a network without having such a certificate, other Matter devices can recognize that it’s not legit and avoid it.

Matter also recommends a secure enclave on the chip itself, to store cryptographic keys and certificates as a function of the next layer of security: trust and identification. This is where the famed blockchain ledger comes into play. Remember the private club analogy? The prior examples of Matter security requirements were all about vetting members; a device maker has to meet those requirements before it can even become part of a Matter network.

The next chunk of security requirements dictates how to establish trust and identify members of the Matter club. Matter requires the use of public key encryption, or PKI, and certificates to establish trust and manage device identity.

It all starts with a trusted root authority. Currently there are two organizations that are authorized to act as a trusted root for Matter, DigiCert, and StrongKey. According to Mike Nelson, VP of IoT Security at DigiCert, the company has been working for eight months to build out this capability. In Matter parlance, this root issuer is called the Product Attestation Authority, or PAA.

The PAA issues certificate-granting authority to other companies. A company with certificate-granting authority is called the Product Attestation Intermediate, or PAI; its role is to issue certificates that Matter devices will use to prove to other Matter devices that they are Matter-certified when they join a network, and for later communication. Those certificates are known as Device Attestation Certificates, or DACs.

Companies can work with a PAA to issue their own certificates or with a standalone PAA to issue certificates on their behalf. In DigiCert’s case, it acts as the initial PAA, but can also issue DACs as a PAI. Companies such as Amazon and other large smart home device makers can also work with DigiCert to become PAIs in order to issue their own DACs. They could also become PAAs if they wanted to build out the infrastructure to become that trusted root.

All of the issued DACs get put in the blockchain ledger so devices can check to make sure they are Matter-certified and that they are made by the company that the device says made it. The ledger is the Club Matter membership roster while the certs prove that the device is actually the one that is supposed to be in the club.

As you can imagine, all of this costs money. DigiCert declined to sat how much it was charging for it’s certificates, but noted that it will be based on the volume of devices with more devices resulting in lower per-unit DAC costs.

Add to this the connectivity and engineering costs associated with updating a device over its lifetime plus adding secure enclaves to chips on the device (most manufacturers have been doing this for a while, but it’s still worth noting). But while Matter’s focus on security will add to a device’s bill of materials and eventual cost, paying for security is necessary. The alternative means we all pay for less secure devices.

Updated: This story was corrected to note that Matter does not require a secure enclave on devices, simply recommends it.