Trust is a fundamental part of the home. We trust our walls to stand up straight, our floors to hold solid, our ovens to work, our toilets to flush and our doors to keep intruders out. We don’t often consider the same standards for our home technology, says Mike Nelson, VP of IoT security, DigiCert. And yet we should, because they can pose a significant risk from directly inside our home.
Home IoT (Internet of Things) devices are proving immensely popular and yet often troublingly insecure. This can open the door to all manner of threats such as identity theft, covert surveillance or digital compromise.
This isn’t the fault of consumers they rarely have any idea about which devices are secure or which pose a personal threat to their digital security. Still, the IoT is an immensely popular field of technology. McKinsey estimates that 127 new devices are connected to the internet every second and IDC has predicted that there will be 55.7 billion IoT devices around the world by 2025.
That means that every day people are bringing digital risk into their homes and all but inviting online threats into one of the most sensitive places they will ever go. Furthermore, they have little means of making a considered choice about the level of digital risk they’re willing to accept. Without expertise in the area, there is currently no way of telling which IoT home device is secure and which isn’t.
That needs to change. Consumers need to be able to make their own decisions about the security of the IoT devices they bring into their own home.
That’s why a certification scheme makes so much sense. It would allow consumers to see which devices are certified to a secure standard and crucially, make security a competitive differentiator thus creating market incentives to make secure devices.
That is one of the key qualities that makes the new certification matter important.
What is matter?
Matter describes itself as an “industry-unifying standard to deliver reliable, seamless and secure connectivity.” Started by the Connectivity Standards Alliance (CSA), this communication protocol aims to make IoT home devices interoperable.
This has been a stubborn problem in the field of IoT home devices. Although these devices are flooding homes all around the world, there remain many cases in which an IoT device from one brand, cannot speak to or interoperate with an IoT device from another. This runs counter to the very notion of a smart home – in which the technology forms one cohesive infrastructure with which one can control the functions of that home such as playing music or controlling heat and lights.
Matter intends to provide a single Internet Protocol based standard which will allow IoT devices to break down those barriers and enable smart home users to use IoT home devices together. However those headlined intentions obscure an equally significant part of Matter: Security.
IoT devices are famously insecure. Many arrive on store shelves with a series of profound vulnerabilities embedded in them at the point of manufacture. These can include hardcoded passwords, lacking proper authentication, inabilities to update and no encryption for the data that the devices interact with.
As a result, they’re easy prey for cybercriminals who will rope them into DDoS botnets, hijack their compute power for cryptocurrency mining or exploit the private information of their owners. A Kaspersky report from 2021 noted that the company had recorded breaches of 1.51 billion IoT devices. That itself was an increase of 639 million breaches from the previous year.
Combine this fact with the high demand for these devices and a rapidly growing supply of them, and you have a huge opportunity for cybercriminals and a big problem for everyone else.
Matter security
That’s why matter is such an important development. Matter specifies strong security controls for the devices that it certifies.
It demands a layered approach to security at the levels of device attestation and authentication ensure the privacy, integrity and availability of the data that the devices use.
Its security provisions are also self contained. Because Matter provides a single application layer for certified devices to communicate, it does not rely on the security of the communications technologies on which it runs such as Thread or Wi-Fi.
It also mandates the use of the strongest civilian cryptographic standards available including AES with 128 bit keys to protect confidentiality and integrity as well as SHA-256 to preserve integrity and ECC for digital signatures and key exchanges.
It’s also crypto-agile so that cryptographic keys and protocols can be swapped out as Matter releases new versions and the threat landscape transforms.
PKIs and certificates
Crucially, matter mandates the use of PKIs and certificates within the device. The point of these is that they can be provided with identities through PKI and use certificates to verify those identities. This allows each device to be certified as a Matter-compliant device.
Matter certified devices come with their own Device Attestation Certificate (DAC) which is signed by an issuing Certification Authority (CA) and inserted into the device during the manufacturing process. When the devices are commissioned into Matter that certificate is used to verify the identity of that device and ensure that it can be folded into a Matter fabric, thus allowing interoperation with other Matter devices.
Security practitioners might often find themselves playing catch up with the IoT. It sometimes feels like it’s growing too fast to really address its fundamental security problems at the root. However, Matter represents an important intervention in IoT security.
Matter certified devices are expected to hit store shelves later in 2022. By offering an industry-backed standard to secure and certify IoT home devices, Matter is finally putting security decisions in the hands of consumers. By doing this, consumers will hopefully drive market incentives for IoT manufacturers to create secure products. Security should be a competitive differentiator for the IoT and the Matter standard might just make it that.
The author is Mike Nelson, VP of IoT Security, DigiCert.
Comment on this article below or via Twitter: @IoTNow_OR @jcIoTnow
