Connectivity Standards Alliance Releases Matter 1.6 and Product Security 1.1 Specifications

The Connectivity Standards Alliance (CSA), creators of the Matter, Zigbee, and Aliro standards for IoT devices, released their new Matter 1.6 and Product Security 1.1 specifications for securing smart homes.

Matter is an open standard for IoT devices to be able to operate on a local network and communicate with each other. Open standards such as Matter are important for privacy because they allow IoT devices to interoperate with each other without the need to connect to the wider internet.

Matter 1.6 adds the ability to set up devices over NFC before they're even powered on. This means, for example, a lightbulb can be set up by NFC before it's screwed in. This was a bit of a pain point before, where the QR code to set up the lightbulb would often be obscured once it was screwed into the socket.

There's now an enhanced multi-admin feature called Joint Fabric which allows "multiple user-authorized controllers to co-administer a single shared Matter network." The CSA says this is suited to environments where multiple users need access to the same devices such as "new construction handovers, households running multiple platforms, or professionally managed properties."

Thermostat Suggestions is a new feature that allows thermostats to evaluate commands from other devices based on user preferences. Before, they would just act directly on commands without any context. For example, if you set your thermostat to prioritize energy savings, it can prevent an automation from another device from overriding those settings.

Matter 1.6 enhances the already-existing support for Certificate Revocation Lists (CRLs) to allow for smaller, independently updated chunks rather than a single huge list, improving the scalability of the certificate infrastructure as the number of certified devices grows.

The CSA's Product Security 1.1 specification has also been released with updated security requirements for devices looking to get certified. The goal with the Product Security spec is to unified all the disparate international cybersecurity standards to make it easier for manufacturers to show they meet a baseline level of security in their products.

New in 1.1 is two levels of security assessments: Level 1 is a "supplier self-assessment reviewed by an Authorized Test Laboratory (ATL)" while Level 2 "requires an independent assessment and functional testing conducted by an ATL."

Part of the requirements for the certification include requirements to use unique passwords for each device, anti-brute forcing mechanisms, not embedding critical security parameters in the source code, using Best Practice Cryptography, support for erasing user data, removing unused interfaces i.e. testing interfaces, input validation, removing unused functionality, recommendations to perform a secure boot process, automatic software updates, verification of update integrity, and using isolated processing.