Matter isn’t only a standardized way to add devices to your smart home—it’s also a private one. The devices on your home network communicate with each other via a connection shielded by AES encryption. But what does this actually mean?
Matter requires encryption for communication over the protocol
Matter is a standard that allows devices in your home to communicate using a common language over an IP (internet protocol) connection. Its purpose is to allow your lights, speakers, appliances, and more to all be accessible using the same technology connecting phones, computers, and routers. And when these devices communicate with each other, that connection is encrypted.
But what is encryption? Encryption is actually older than you might think. It simply refers to the scrambling of a message using a secret code in order to mask what’s being transmitted. Cryptographers used to scramble messages by hand, but now computers can do the work using calculations are that are more complex by many orders of magnitude.
Matter utilizes AES encryption to shield what your devices are saying to each other. AES stands for Advanced Encryption Standard. It is popular for being the encryption standard adopted by the US government.
That said, Matter does not require encryption once data leaves your Matter network, whether that be over Wi-Fi or Thread. This means the connection between your thermostat and your smart home hub is secure and private, but that doesn’t mean the connection between your thermostat and the cloud (such as from a Matter-compatible Google Nest), or your hub and the cloud (perhaps from a Samsung TV running SmartThings) are secure.
Matter devices can have an encrypted secure enclave for storing data
Matter devices, no matter how small, have to store small bits of data. Typically, this may just be the name and password of your Wi-Fi network. It could be the name of the device itself and the devices it connects to.
The Connectivity Standards Alliance, which publishes the Matter standard, recommends that this data is stored in a secure area of the device that is also encrypted. This way someone can’t access the device, either remotely or by hand, and use it as a way to gain access to the rest of your network.
This isn’t a hard requirement, though, just a recommendation. So some Matter devices are more vulnerable than others.
They use public key encryption and certification
A public key is the same technology that websites use to verify that when you enter a URL, you've actually reached the appropriate site. This all happens in the background, with the website revealing a certificate from a reputable source that confirms its identity.
Matter devices are required to do the same. Manufacturers must acquire such certificates in order for their devices to confirm to devices from other manufacturers that their connection can be trusted. This prevents someone from using non-Matter devices to hijack the connection in your home. Such security is especially important if we want to someday connect security cameras using Matter.
This certificate is checked when you add a new Matter device to your home network, and it’s part of the reason you have to wait a few moments after scanning a device’s Matter QR code before it’s all setup and good to go.
Matter devices must be able to receive OTA updates for security patches
There is no such thing as a perfectly secure device. Over time, weaknesses are exposed. The important thing is being able to address the issue and provide the fix to customers. This is why all Matter devices are required to have the ability to receive over-the-air updates.
This requirement means you need to be able to download security fixes without having to go through the hurdle of plugging a device into a computer using a flash drive or some other unrealistic expectation when dealing with light switches and water sensors.
Without this requirement, most devices would likely not be upgradeable and would simply live on, vulnerable to exploitation.
So can Matter devices be hacked?
Encryption isn’t impenetrable, but it’s pretty close. There are weak points in the system that can be exploited, such as the connection between some Matter devices and the web. A Govee floor lamp that's set up and controlled exclusively using Matter is more secure than one managed by the Govee app, which introduces the possibility of Govee’s own data collection or a data breach.
A household filled with Matter devices that are controlled via Home Assistant may be producing a lot of data, but this data isn’t being sent to the web (assuming the individual devices aren’t web-connected). That doesn’t mean someone can’t physically attack your Home Assistant box to get the data, but in that implausible scenario, you already have bigger concerns on your hands.
In short, there is no such thing as perfect security, but Matter’s practices and standards are pretty strong. You’re more vulnerable, and generate more data, connecting your smartphone to your router than a room of Matter-compatible smart light switches.
