Session4A: IoT Security
Authors, Creators & Presenters: Haoqiang Wang, Yiwei Fang (Institute of Information Engineering, Chinese Academy of Sciences; School of Cyber Security, University of Chinese Academy of Sciences; Indiana University Bloomington), Yichen Liu (Indiana University Bloomington), Ze Jin (Institute of Information Engineering, Chinese Academy of Sciences; School of Cyber Security, University of Chinese Academy of Sciences; Indiana University Bloomington), Emma Delph (Indiana University Bloomington), Xiaojiang Du (Stevens Institute of Technology), Qixu Liu (Institute of Information Engineering, Chinese Academy of Sciences; School of Cyber Security, University of Chinese Academy of Sciences), Luyi Xing (Indiana University Bloomington)
PAPER
Hidden and Lost Control: on Security Design Risks in IoT User-Facing Matter Controller
Matter is emerging as an IoT industry--unifying standard, aiming to enhance the interoperability among diverse smart home products, enabling them to work securely and seamlessly together. With many popular IoT vendors increasingly supporting Matter in consumer IoT products, we perform a systematic study to investigate how and whether vendors can integrate Matter securely into IoT systems and how well Matter as a standard supports vendors' secure integration. By analyzing Matter development model in the wild, we reveal a new kind of design flaw in user-facing Matter control capabilities and interfaces, called UMCCI flaws, which are exploitable vulnerabilities in the design space and seriously jeopardize necessary control and surveillance capabilities of Matter-enabled devices for IoT users. Therefore we built an automatic tool called UMCCI Checker, enhanced by the large-language model in UI analysis, which enables automatically detecting UMCCI flaws without relying on real IoT devices. Our tool assisted us with studying and performing proof-of-concept attacks on 11 real Matter devices of 8 popular vendors to confirm that the UMCCI flaws are practical and common. We reported UMCCI flaws to related vendors, which have been acknowledged by CSA, Apple, Tuya, Aqara, etc. To help CSA and vendors better understand and avoid security flaws in developing and integrating IoT standards like Matter, we identify two categories of root causes and propose immediate fix recommendations.
ABOUT NDSS
The Network and Distributed System Security Symposium (NDSS) fosters information exchange among researchers and practitioners of network and distributed system security. The target audience includes those interested in practical aspects of network and distributed system security, with a focus on actual system design and implementation. A major goal is to encourage and enable the Internet community to apply, deploy, and advance the state of available security technologies.
Our thanks to the Network and Distributed System Security (NDSS) Symposium for publishing their Creators, Authors and Presenter’s superb NDSS Symposium 2025 Conference content on the Organizations' YouTube Channel.
The post NDSS 2025 – Hidden And Lost Control: On Security Design Risks In loT User-Facing Matter Controller appeared first on Security Boulevard.
Marc Handelman
Source: Security Boulevard
Source Link: https://securityboulevard.com/2025/11/ndss-2025-hidden-and-lost-control-on-security-design-risks-in-lot-user-facing-matter-controller/