Things that Matter -- Identifying Interactions and IoT Device Types in Encrypted Matter Traffic

Matter is the most recent application-layer standard for the Internet of Things (IoT). As one of its major selling points, Matter’s design imposes particular attention to security and privacy: it provides validated secure session establishment protocols, and it uses robust security algorithms to secure communications between IoT devices and Matter controllers. However, to our knowledge, there is no systematic analysis investigating the extent to which a passive attacker, in possession of lower layer keys or exploiting security misconfiguration at those layers, could infer information by passively analyzing encrypted Matter traffic. In this paper, we fill this gap by analyzing the robustness of the Matter IoT standard to encrypted traffic analysis performed by a passive eavesdropper. By using various datasets collected from real-world testbeds and simulated setups, we identify patterns in metadata of the encrypted Matter traffic that allow inferring the specific interactions occurring between end devices and controllers. Moreover, we associate patterns in sequences of interactions to specific types of IoT devices. These patterns can be used to create fingerprints that allow a passive attacker to infer the type of devices used in the network, constituting a serious breach of users privacy. Our results reveal that we can identify specific Matter interactions that occur in encrypted traffic with over $95%$ accuracy also in the presence of packet losses and delays. Moreover, we can identify Matter device types with a minimum accuracy of $88%$. The CSA acknowledged our findings, and expressed the willingness to address such vulnerabilities in the next releases of the standard.

💡 Research Summary

This paper investigates the privacy implications of the Matter IoT standard when only encrypted traffic metadata is observable to a passive adversary. Matter, introduced in 2022 and now adopted by hundreds of manufacturers, promises security‑by‑design through authenticated session establishment (CASE or PASE) and AES‑CCM encryption of payloads. However, the message header remains either unauthenticated or only optionally encrypted, leaving observable features such as packet direction, size, timing, and sequence order.

The authors formulate two research questions: (RQ1) To what extent can a passive attacker identify specific packets, transactions, and interaction types from encrypted Matter traffic? (RQ2) To what extent can the same analysis reveal the presence of particular device types? To answer these, they construct a realistic threat model in which the attacker either possesses lower‑layer keys (e.g., Wi‑Fi or Thread) or exploits misconfigurations that disable link‑layer security. The attacker is fully passive, collecting only wire‑level traces without injecting traffic.

Data collection combines real‑world testbeds (home, office, factory) with the official Matter simulator, yielding a diverse dataset of encrypted UDP/IPv6 flows over Wi‑Fi (and limited Thread). For each packet the authors extract metadata: source/destination direction, total length, inter‑packet interval, and position within a transaction. They then apply statistical analysis and machine‑learning classifiers (random forests for static features, LSTM for temporal sequences) to map these features to the five interaction categories defined by Matter (Read, Write, Invoke, Subscribe, Report).

Results show that four of the five interaction types can be identified with over 95 % accuracy; the full set reaches 96 % when the optional header encryption is not used. The classifiers remain robust under simulated network impairments (10 % packet loss, up to 200 ms latency), with performance degradation below 3 %. For device‑type identification, the authors train multi‑class models on eight common categories (e.g., lighting, smart lock, power plug). Even with the same limited metadata, the models achieve a minimum of 88 % accuracy, demonstrating that device fingerprints are embedded in interaction patterns independent of manufacturer.

The discussion highlights the privacy risk: an adversary can infer room occupancy, usage habits, or the presence of security‑critical devices (locks, cameras) solely from encrypted traffic. The authors note that optional header encryption could mitigate the risk, but many commercial implementations leave headers in clear. Limitations include the focus on Wi‑Fi traffic, the need for labeled data, and the absence of extensive Thread/BLE analysis.

The paper concludes by reporting the findings to the Connectivity Standards Alliance (CSA), which acknowledged the issue and indicated plans to address it in future revisions of Matter. Recommendations include mandating header encryption, adding cover traffic, and designing protocols that obscure timing and size patterns. Future work is suggested on cross‑technology traffic analysis, real‑time detection of passive eavesdropping, and privacy‑preserving protocol extensions.