Reflections

Capstone Project reflection:

The Capstone project lasted 30 weeks, from finding a topic to completion, so that a large number of insights and gains in knowledge were observed during this time. Building on the last module, 'Research Methods and Professional Practice', the theory learned could be consolidated through practical implementation as part of the project. By independently choosing the topic complex, it was possible to set own priorities. Since, in my opinion, the area of IoT will increase in importance in the future as a result of further networking between humans and machines, as well as areas of application, I have considered this topic area to be particularly worthwhile for a deeper look. The Matter communication standard chosen for the investigation, which was developed specifically for the Smart Home IoT environment, was a good opportunity to take a critical perspective on threats from communication standards on IoT. Since Matter is based on other communication standards that are already firmly established in large parts of the population, this study provided the opportunity not only to examine the new Matter standard in more detail, but also to gain comprehensive knowledge of two of the most important standards, Wi-Fi and Bluetooth. In addition, there was a quote from CSA, the developers of Matter, which was the driving force behind questioning the new standard: “Customers buying Matter devices will not have a dead kink about security: it is just there” (CSA, 2022).

This statement is quite bold because, on the one hand, the human factor is an aspect that should never be overlooked in the context of cyber security and, on the other hand, Matter is based on other communication standards. These standards in turn have known vulnerabilities, which are of conceptual origin, for example with regard to Bluetooth (Gupta et al., 2019). The question therefore arises as to how a new communication standard can be completely secure, that is based on existing standards, which themselves have known vulnerabilities? In order to investigate this question, a comprehensive theoretical understanding of various communication standards for the smart home had to be gained first. The question also needs to be clarified as to why a new standard is needed at all. The respective advantages and disadvantages of the communication standards quickly led to the realisation that although there are a large number of standards that are currently used, they are not equally suitable for all areas of application and cannot cooperate with each other. The result is many different standards that are used in parallel but cannot be united under one central authority. This consequence of the lack of interoperability is not a disadvantage for users, companies also have a great interest in avoiding this jungle of standards in order to be more appealing to customers and to be able to develop products more easily.

Further investigations in the field of IoT have shown that the spectrum of cyber security needs to be differentiated from that of classic cyber security in some aspects. IoT devices often have limitations, which arise, for example, from a limited power supply, low data transmission or computing power. As a result, classic security precautions often cannot be transferred one-to-one to IoT devices. In many cases, such devices also have no display or control panel, which means that these devices can only be set and operated from control devices (Chantzis et al., 2021). The research has therefore shown that a new communication standard for the smart home makes sense, so that Matter can make a fundamental contribution to the future establishment of IoT in people's everyday lives.

After the theoretical basis of the project was created, a plan had to be developed how the communication standard could be compared with the standards united under Matter. A solution was found through a direct comparison between the test network and the matter network. Since the Matter Standard had only been on the market for 5 months at the time the project started, there were few Matter devices that could be used for an investigation. A solution was found through microcontrollers, which could be flashed independently with the Matter application. However, this required that knowledge of how to use microcontrollers had to be developed. While it was ultimately successful to gain this knowledge and create Matter networks with self-flashed devices, the scope and complexity of this area of knowledge was initially underestimated. It also turned out that not every application provided by Matter was compatible with the ESP-32-S3-DevKitC-1 microcontroller used, even if this was stated by Matter. Furthermore, it had to be determined that not every hub device that acts as a controller for the Matter network can be used with flashed devices. The Google Nest Hub (2nd generation) does not allow you to embed flashed devices into the network. iPads, on the other hand, which can also be used as a hub device, enable the integration of flashed devices. It became clear that manufacturers who use Matter have their own decision-making power over the safety and functionality of Matter devices. Furthermore, it was found that regardless of whether users need to worry about the security of Matter, users need to think about the interoperability of their Matter devices. This highlighted that although one of Matter's central goals was to eliminate interoperability problems, this goal could not be fully achieved. This makes it clear that there is a gap between the theoretical development and the practical use of digital products, such as a communication standard in this case, since original considerations are often not applied in the practical world according to their intention.

Conducting experiments in which attempts were made to infiltrate and hack Matter in various ways has led to a significant increase in personal practical skills in the context of white hat hacking. Some insights were also gained regarding communication standards. For example, it was surprising to realise how easy it is to determine information and intercept communication packets via Bluetooth and its devices. This has highlighted the standard's conceptual vulnerabilities. But the implementation of de-authentication attacks has also shown that other standards, such as Wi-Fi in this case, are not protected from threats. It was particularly interesting to realise that even if a threat has been identified for a long time and a countermeasure has been developed and available for it, it does not mean that this function is actually used. The 802.11w extension for the Wi-Fi standard has existed since 2009 and could therefore be used in almost any device, but the tests found more devices that did not support this extension than devices that did. In my opinion, it is incomprehensible that Matter does not offer this extension and is therefore not protected against de-authentication attacks under WPA2. In the context of Matter's statement, "Customers buying Matter devices will not have a dead kink about security: it is just there", the personal consequence is that companies' promises regarding the security of their products should not be trusted too much. Ultimately, everyone is responsible for their own security in the digital space. Even if companies' intentions are good and they care deeply about the security of their users, comprehensive security can never be guaranteed. Finally, there is one factor that companies cannot influence: the human factor. Nevertheless, it makes sense to weigh and question statements and promises made by companies, as they have a significant responsibility to ensure that their products are secure and that the information provided is also true. Exaggerated and unrealistic statements are more likely to damage the image and trust in the company than they are beneficial.

In the general context, it should be noted that the implementation of the project trained the ability to independently plan, carry out and evaluate tasks in the context of IT and cyber security. Furthermore, the ability to solve problems was improved. Comprehensive knowledge of communication standards was gained and skills in dealing with various OS and microcontrollers were developed. In addition, various hacking tools were used and the competent use of these tools was learned based on these practices.

References:

• Chantzis, F., Stais, I., Calderon, P., Deirmentzoglou, E. & Woods, B. (2021) Practical IoT Hacking: The Definitive Guide to Attacking the Internet of Things. No Starch Press. Available from: https://learning.oreilly.com/library/view/practical-iot-hacking/9781098128876/c02.xhtml#h1-500907c02-0002 [Accessed 23 March 2023].
• CSA (2022) Matter Security and Privacy Fundamentals. Available from: CSA_Matter_Security_WP.docx (csa-iot.org) [Accessed 06 April 2023].
• Gupta, A. (2019) The IoT Hacker's Handbook. Berkeley, CA: Apress. Available from: https://learning.oreilly.com/library/view/the-iot-hackers/9781484243008/ [Accessed 24 March 2023].