Why Matter needs to toughen up
Author: Mike Nelson
Since the release of version 1.0 in 2022, the Matter standard for smart home connectivity has worked to enhance interoperability and security between Matter-compliant smart home devices . Matter has also helped manufacturers simplify device development while creating products that are easy for everyday people to use.
Despite Matter’s clear potential, its security measures aren’t quite there yet—there’s still work to be done to maintain trust in the evolving smart device industry. But with the right improvements, this security protocol will be able to deliver on its promises of making the smart home safe.
What is Matter?
The Connectivity Standards Alliance (CSA) established Matter as a global standard to unify the connected device industry. The initial goal was to enable consumers to use a single voice assistant to manage every Matter-compliant connected device, whether it was made by Apple, Google, Amazon, or another smart device manufacturer.
And the CSA’s intentions for Matter don’t stop there: In the future, it could change the way we control smart energy systems for connected buildings and smart cities . It could give healthcare systems more control over smart devices like automated IV pumps and smart beds . It could even follow in the Zigbee protocol’s footsteps by bringing smart technology to outer space .
But there’s a big difference between could and will. Before Matter can fulfill its intended role as a secure connective tissue between smart devices, there are a few major security kinks to iron out.
What’s the matter with Matter?
Matter uses established security protocols like device identity verification , robust network authentication, and strong encryption to strengthen the security of smart home devices. But the standard’s current mandates fail to tackle all potential vulnerabilities . And that shortfall poses significant risks.
Problem #1: No secure hardware requirement for storing cryptographic secrets
The requirement for secure hardware to store cryptographic secrets is conspicuously absent in the current Matter specifications. This oversight means that private keys and other sensitive information are vulnerable to unauthorized access. If these keys are compromised, malicious actors could clone devices or fabricate counterfeit versions, gaining unauthorized entry to the network. It’s a vulnerability that not only undermines the security of the affected household but also erodes trust in Matter-compliant products.
领英推荐
Problem #2: Leniency around Product Attestation Authorities
Further weakening Matter’s security framework is the leniency around Product Attestation Authorities (PAAs). While third-party certificate authorities like DigiCert undergo rigorous external audits to verify their reliability, manufacturers can also create their own PAAs. And when that happens, the manufacturer is only required to self-certify their compliance—there's no external audit required. That inconsistency is a recipe for weak security practices that leave the ecosystem highly vulnerable.
To inspire confidence among users and attract ongoing investment, Matter needs to enforce uniform audit standards for all PAAs, ensuring that every entity—whether third-party or manufacturer-operated—meets strict security requirements.
What Matter gets right—and why it needs to do even better
Industry standards like Matter don't come out in perfect form. They’re constantly evolving, which means working groups are always collaborating to make them better.
The initial release of Matter, for example, didn't include support for a key component of certificate management : revocation. Revocation is essential because it allows compromised certificates to be disabled to prevent further misuse. Without that capability, there was no swift way to neutralize devices affected by a cryptographic breach. This issue was remedied in the fall of 2023, when Matter 1.2 was released to include that much-needed support.
But there’s still work to be done on the security front to ensure trust is maintained. If Matter fails to address the gaps outlined above, the consequences could be far-reaching: Consumers worried about a security breach will hesitate to adopt new devices or invest in smart home technology. Manufacturers and developers will struggle to justify the ongoing investment needed to integrate Matter into their products.
These hesitations could slow down the entire industry, reducing innovation and progress in smart home technology. And that’s a speed bump the industry can’t afford to hit.
The latest developments in digital trust
Want to learn more about topics like authentication , cryptography , and the IoT ? Subscribe to the DigiCert blog to ensure you never miss a story.