Published: October 27, 2023
Author(s)
Kumar Shashwat (University of South Florida), Francis Hahn (University of South Florida), Xinming Ou (University of South Florida), Anoop Singhal (NIST)
Conference
Name: IEEE Cyber Physical Systems Security Workshop
Dates: 10/05/2023 - 10/05/2023
Location: Orlando, FL USA
Citation: 2023 IEEE Conference on Communications and Network Security (CNS) , pp. 1-6
Matter is an open-source connectivity standard for the purpose of allowing smart home IoT devices from different vendors to interoperate with one another. A controller in a Matter system commissions new devices into the Matter fabric. The device needs to present a credential called Device Attestation Certificate (DAC), indicating that it is from a trusted vendor and has gone through the necessary testing to be compliant with the Matter standard. However, the controller is not required to prove to the device that it is from a trustworthy vendor. We verified through experimentation that anyone can create a Matter controller that can commission a commercial Matter device. We analyze the security implication of this design choice in Matter, and present a few scenarios where a malicious controller can exert harm to an otherwise healthy Matter ecosystem.
Matter is an open-source connectivity standard for the purpose of allowing smart home IoT devices from different vendors to interoperate with one another. A controller in a Matter system commissions new devices into the Matter fabric. The device needs to present a credential called Device...
See full abstract
Matter is an open-source connectivity standard for the purpose of allowing smart home IoT devices from different vendors to interoperate with one another. A controller in a Matter system commissions new devices into the Matter fabric. The device needs to present a credential called Device Attestation Certificate (DAC), indicating that it is from a trusted vendor and has gone through the necessary testing to be compliant with the Matter standard. However, the controller is not required to prove to the device that it is from a trustworthy vendor. We verified through experimentation that anyone can create a Matter controller that can commission a commercial Matter device. We analyze the security implication of this design choice in Matter, and present a few scenarios where a malicious controller can exert harm to an otherwise healthy Matter ecosystem.
Hide full abstract
Keywords
IOT Devices; Matter Protocol; controller
Control Families
None selected
