Privacy Vulnerabilities in Matter IoT Standard Expose Device Types and User Behavior

Researchers from Bitdefender and Eindhoven University of Technology presented findings on privacy vulnerabilities in the Matter standard, a rising IoT protocol backed by over 600 companies since 2022. The study revealed that encrypted Matter traffic leaks patterns—such as consistent packet sizes—allowing attackers to infer device types (e.g., smart bulbs, locks, sensors), user behaviors, and even automation chains without decrypting communications. Using AES-128-CCM encryption (as defined in NIST 838-C) and lacking crypto agility, identical commands produce identical packet lengths, enabling fingerprinting of devices across vendors. The team analyzed Thread and Wi-Fi-based Matter devices in a real-world office setup, employing random forest machine learning to classify devices with high accuracy (though 90% of traffic was discarded as uniform 'report' sequences). Proposed mitigations—like random padding or uniform packet sizes—reduced classification accuracy but risked performance overhead, particularly for battery-powered devices. The research highlighted parallels to past smart meter vulnerabilities and called for privacy-focused protocol redesigns under EU legislation like GDPR and CRA. Findings applied to all Matter versions and devices, regardless of vendor.