Almost everything in our homes has become a smart device, from refrigerators and thermostats to lights and televisions, with a U.S. household having 22 connected devices on average.
But despite the rapid proliferation of devices, there are still security concerns. Nearly half (49%) of consumers worry about hackers taking over their smart home devices, and 50% about security breaches.
One of the ways that smart home device manufacturers are addressing consumer concerns about smart home automation is to adopt the Matter standard. Matter includes a built-in security layer, making it easier for manufacturers to build strong security into their connected devices.
Here we share the ins and outs of the Matter standard and how manufacturers can implement public key infrastructure (PKI) to improve the security of connected devices.
Why Matter matters for manufacturers
Matter is an open smart home protocol that enables simplicity, interoperability, reliability, and security between smart home devices, mobile apps, and cloud services. The Connectivity Standards Alliance (CSA) maintains the Matter standard and provides the seal of approval for device certification.
Matter is imperative for smart home device manufacturers because it streamlines development so manufacturers can cut their time to market. Rather than developing a device for dozens of different apps, manufacturers can use a single standardized protocol that lets their device talk to every other device, even from different manufacturers. Manufacturers of new devices can quickly expand their market reach by easily integrating with established brands.
But every smart home device network is only as strong as its weakest element. That’s why security is at the core of the Matter standard.
“Manufacturers are experts in their device domain, but that might not translate into IoT security. The best part is that Matter spells security out for manufacturers, and all they must do is follow that standard,” said Mitch Mershon, Product Marketing Manager at Keyfactor.
Embedding cybersecurity in the Matter ecosystem
Cybersecurity for smart home devices with the Matter standard is based on X.509 certificates. Every device requires a unique certificate to join a Matter fabric. When the device joins a network in a smart home, it gets a short-lived operational certificate delivered by the LAN gateway, which is used for security for the TLS protocol on the local network.
Think of the local network as a private club exclusively accepting Matter members. The club has high security, only Matter-approved devices can join, and all others will be rejected.
So, how can Matter devices recognize one another and avoid rejection?
When a device is added to a local network, the commissioner checks the validity of the OEM certificate and the Device Attestation Certificate (DAC) presented by the device. It does this by tracing the certificate’s origin to the OEM’s Product Attestation Authority (PAA), which is pre-registered in a shared public Distributed Compliance Ledger (DCL) maintained by the CSA. This ensures each certificate is legitimate and meets the Matter specification requirements.
It is recommended that an OEM register its root PAA X.509 certificate in the DCL and be associated with a CSA vendor ID. Additionally, the DCL also lists the OEM’s Certification Declaration for the product so that device compliance with the Matter standard can also be checked by the network commissioner.
Establishing identity-first security for smart home devices
Trusted identities are at the foundation of secure communication between smart home devices, and manufacturers must manage those identities. An OEM generally has three identity provisioning options for issuing a DAC into a device:
- At the silicon vendor factory: OEMs can source chips from silicon vendors, and these silicon vendors often offer a service to inject the DAC into the chip, either a secure element or microcontroller, before it is shipped to the OEM’s factory.
- At the OEM factory: The OEM has full ownership and control of everything and can pull certificates from the PKI in real time.
- Post-manufacturing: The OEM injects the DAC after the device is manufactured, either before shipping to the end customer or upon power-on reset when the end customer deploys the device.
“These identity issuance and injection options offer different cost, complexity, and flexibility levels. At Keyfactor, we support all sorts of manufacturing PKI options for our customers. That’s our bread and butter,” said Guillaume Crinon, Keyfactor’s Director of IoT Business Strategy.
Manufacturers must possess a PKI that fits their infrastructure and will scale with them as their devices evolve. Keyfactor’s EJBCA Enterprise is a PKI platform with the flexibility to support smart home device manufacturers by working with on-prem, cloud, SaaS, or hybrid architectures. EJBCA is compliant with Matter security requirements, including PAA and DAC.
To learn more about how smart home device manufacturers can build strong security with Matter, watch the on-demand webinar Matter and Smart Home Cybersecurity Explained.