Things that Matter -- Identifying Interactions and IoT Device Types in Encrypted Matter Traffic

TL;DR

This paper analyzes the security of the Matter IoT standard, revealing that encrypted traffic patterns can be exploited by passive attackers to identify device types and interactions with high accuracy, posing privacy risks.

Contribution

It provides the first systematic analysis of encrypted Matter traffic, demonstrating how metadata patterns can be used to infer device types and interactions, exposing privacy vulnerabilities.

Findings

Over 95% accuracy in identifying Matter interactions despite network issues

At least 88% accuracy in classifying device types from encrypted traffic

Passive traffic analysis poses significant privacy risks for IoT users

Abstract

Matter is the most recent application-layer standard for the Internet of Things (IoT). As one of its major selling points, Matter's design imposes particular attention to security and privacy: it provides validated secure session establishment protocols, and it uses robust security algorithms to secure communications between IoT devices and Matter controllers. However, to our knowledge, there is no systematic analysis investigating the extent to which a passive attacker, in possession of lower layer keys or exploiting security misconfiguration at those layers, could infer information by passively analyzing encrypted Matter traffic. In this paper, we fill this gap by analyzing the robustness of the Matter IoT standard to encrypted traffic analysis performed by a passive eavesdropper. By using various datasets collected from real-world testbeds and simulated setups, we identify patterns in metadata of the encrypted Matter traffic that allow inferring the specific interactions occurring between end devices and controllers. Moreover, we associate patterns in sequences of interactions to specific types of IoT devices. These patterns can be used to create fingerprints that allow a passive attacker to infer the type of devices used in the network, constituting a serious breach of users privacy. Our results reveal that we can identify specific Matter interactions that occur in encrypted traffic with over $95\%$ accuracy also in the presence of packet losses and delays. Moreover, we can identify Matter device types with a minimum accuracy of $88\%$. The CSA acknowledged our findings, and expressed the willingness to address such vulnerabilities in the next releases of the standard.