IoT home devices are getting a new standard, here’s why it “matters”
The IoT is getting a new standard which could put digital trust and interoperability into smart home devices. It’s called Matter, says Mike Nelson, VP of IoT security, DigiCert.
Matter describes its project as “an industry-unifying standard to deliver reliable, seamless and secure connectivity.” It was launched by The Connectivity Standards Alliance (CSA) in collaboration with big players in the smart home industry and aims to make IoT home devices and smart home platforms interoperable. However, Matter also addresses an equally pressing issue the security of the IoT.
This could be a real coup in the field of home IoT devices. As it stands, many are siloed between different vendors and can only work with other proprietary devices. Furthermore, IoT developers have to deal with a confusing jumble of proprietary standards that can frustrate the development process.
Matter means to change all that by providing a single Internet Protocol (IP) based standard that will allow smart bulbs, smart heating systems, smart locks, smart doorbells, smart digital assistants and more to function together seamlessly.
Matter is supposed to work for the end-user just as much as it does for the manufacturers who make these devices and the supply chains on which they run. The project will certify devices which have been built with the correct specifications and IP-based networking technologies to meet the Matter standard. In doing so, Matter may be able to embed a much-needed degree of digital trust to this field of smart home IoT devices.
Why it matters
The IoT has long maintained a poor reputation when it comes to security. This has been earned by a long series of cyberattacks and vulnerabilities caused directly or indirectly by the inherent insecurity of individual IoT devices and the lack of digital trust in their broader supply chain.
These problems are frustratingly common. Many IoT devices can’t update their firmware, while others use unchangeable passwords that can be easily guessed by attackers.
This can have a whole range of effects and outcomes product malfunctions, privacy breaches and even physical harm to humans. An insecure IoT device can act as a foothold for a larger attack into a home or enterprise network. Similarly, the year-on-year growth of DDoS attacks is largely down to the increasing availability of IoT devices as well as their reliably poor security.
The Mirai botnet is perhaps the best example of this. It managed to disable significant pieces of internet infrastructure and paralyse some of the most popular websites in the world with a horde of insecure home IoT devices. Its malware was simple. It scanned for IoT devices and when it found them it would simply guess their passwords out of a handful of commonly used ones. Once it guessed that password, it would enslave the device into the Mirai botnet and start scanning for other devices in the area. Then the whole process would repeat again. The fact that it could wreak so much damage and get so far is a ringing indictment of IoT security.
That attack surface is growing. New devices – both secure and insecure – are rolling out of factory gates, off store shelves and into consumer’s homes every day. IDC predicts that there will be 55.7 billion IoT devices globally by 2025. If we can’t trust those devices or their supply chains then we may be inviting catastrophe.
That’s why Matter is such a welcome intervention into the IoT. It raises the security standard for smart home devices and provides all compliant device with an immutable identity, proper authentication, data protection and update integrity.
The IoT supply chain
Many of these problems occur somewhere along IoT devices’ supply chain. Product manufacturers have – until a few years ago rarely had to deal with software. They’ve spent most of their time thinking about whether something works and whether it could be harmful to the physical health of the consumer. As a result, they’re not accustomed to accounting for security or software problems within those devices.
They might not know how important it is, for example, that a device can update its firmware. They won’t be thinking about broader security measures like device identities or Code Signing which would allow the software they put into their devices to be trusted.
These problems are all compounded by the incredible demand for IoT devices which could force manufacturers to complete development quickly rather than correctly. As a result, security becomes an afterthought, digital trust vanishes and ultimately, consumers suffer.
How matter secures IoT developers, manufacturers and users
That’s why any attempt at securing the IoT has to address digital trust along the entire supply chain. That’s exactly what Matter does by offering authoritative certification for every device which complies with its specifications.
It specifies a layered approach to security. In doing so, it ensures the privacy, integrity and availability of every transaction between systems and devices and crucially, secures Over The Air updates – a pernicious vector for IoT attackers. It also uses strong cryptographic protocols to ensure that all data is encrypted at rest and in transit.
It is also a crypto-agile standard. Matter’s specifications demand that all cryptographic primitives be abstracted so that devices can update and adopt new cryptographic primitives as and when they become necessary.
However, the most critical aspect of its security capabilities is its use of Public Key Infrastructures (PKI) to embed digital trust and interoperability between smart home devices. These allow manufacturers to give each device an identity and use digital certificates to verify them, thus ensuring that each IoT device adopted into a Matter Fabric is certified and safe to use.
All Matter certificated devices will have their own Device Attestation Certificate (DAC) which verifies the authenticity of the device. That DAC is signed by the by the issuing CA, a Protect Attestation Intermediate (PAI).
That DAC is installed into devices during the manufacturing process. When the devices are commissioned, those certificates are used to verify that the device is compliant with Matter. It is this process which embeds digital trust all into the device.
The state of IoT security can be a worrying thought, especially considering how fast the field is growing. Given the urgent need for better security in this rapidly growing category of devices Matter is a welcome arrival. It will provide greater functionality and protection for home users but perhaps even more importantly, will provide a way to secure these devices through their development. Matter devices are expected to arrive in stores by autumn 2022 and with any luck, it will become a seal of quality and digital trust for all consumers looking to buy secure home IoT devices.
The author is Mike Nelson, VP of IoT security, DigiCert.
Comment on this article below or via Twitter @IoTGN