Table of Contents
Fetching ...

Things that Matter -- Identifying Interactions and IoT Device Types in Encrypted Matter Traffic

Kristopher Alex Schlett, Bela Genge, Savio Sciancalepore

TL;DR

Despite Matter's security features, metadata in encrypted Matter traffic leaks actionable information to a fully passive observer. The authors conduct an empirical study on real-world and simulated Matter traffic to identify stable packet-length and sequence patterns corresponding to Read, Write, and Invoke transactions, and to fingerprint device types such as lighting, locks, and plugs. They report interaction-identification accuracy above $95\%$ and device-type accuracy of at least $88\%$, with robustness to modest packet loss and delays but degradation under severe network instability. The work exposes privacy risks in Matter ecosystems and motivates protocol adjustments to inject variability in packet structures, a stance acknowledged by CSA in follow-up discussions.

Abstract

Matter is the most recent application-layer standard for the Internet of Things (IoT). As one of its major selling points, Matter's design imposes particular attention to security and privacy: it provides validated secure session establishment protocols, and it uses robust security algorithms to secure communications between IoT devices and Matter controllers. However, to our knowledge, there is no systematic analysis investigating the extent to which a passive attacker, in possession of lower layer keys or exploiting security misconfiguration at those layers, could infer information by passively analyzing encrypted Matter traffic. In this paper, we fill this gap by analyzing the robustness of the Matter IoT standard to encrypted traffic analysis performed by a passive eavesdropper. By using various datasets collected from real-world testbeds and simulated setups, we identify patterns in metadata of the encrypted Matter traffic that allow inferring the specific interactions occurring between end devices and controllers. Moreover, we associate patterns in sequences of interactions to specific types of IoT devices. These patterns can be used to create fingerprints that allow a passive attacker to infer the type of devices used in the network, constituting a serious breach of users privacy. Our results reveal that we can identify specific Matter interactions that occur in encrypted traffic with over $95\%$ accuracy also in the presence of packet losses and delays. Moreover, we can identify Matter device types with a minimum accuracy of $88\%$. The CSA acknowledged our findings, and expressed the willingness to address such vulnerabilities in the next releases of the standard.

Things that Matter -- Identifying Interactions and IoT Device Types in Encrypted Matter Traffic

TL;DR

Despite Matter's security features, metadata in encrypted Matter traffic leaks actionable information to a fully passive observer. The authors conduct an empirical study on real-world and simulated Matter traffic to identify stable packet-length and sequence patterns corresponding to Read, Write, and Invoke transactions, and to fingerprint device types such as lighting, locks, and plugs. They report interaction-identification accuracy above and device-type accuracy of at least , with robustness to modest packet loss and delays but degradation under severe network instability. The work exposes privacy risks in Matter ecosystems and motivates protocol adjustments to inject variability in packet structures, a stance acknowledged by CSA in follow-up discussions.

Abstract

Matter is the most recent application-layer standard for the Internet of Things (IoT). As one of its major selling points, Matter's design imposes particular attention to security and privacy: it provides validated secure session establishment protocols, and it uses robust security algorithms to secure communications between IoT devices and Matter controllers. However, to our knowledge, there is no systematic analysis investigating the extent to which a passive attacker, in possession of lower layer keys or exploiting security misconfiguration at those layers, could infer information by passively analyzing encrypted Matter traffic. In this paper, we fill this gap by analyzing the robustness of the Matter IoT standard to encrypted traffic analysis performed by a passive eavesdropper. By using various datasets collected from real-world testbeds and simulated setups, we identify patterns in metadata of the encrypted Matter traffic that allow inferring the specific interactions occurring between end devices and controllers. Moreover, we associate patterns in sequences of interactions to specific types of IoT devices. These patterns can be used to create fingerprints that allow a passive attacker to infer the type of devices used in the network, constituting a serious breach of users privacy. Our results reveal that we can identify specific Matter interactions that occur in encrypted traffic with over accuracy also in the presence of packet losses and delays. Moreover, we can identify Matter device types with a minimum accuracy of . The CSA acknowledged our findings, and expressed the willingness to address such vulnerabilities in the next releases of the standard.
Paper Structure (18 sections, 1 equation, 1 figure, 12 tables)