STEPS FORWARD: New tech standards, like ‘Matter’ and ‘BIMI,’ point the way to secure interoperability

By Byron V. Acohido

The IQ of our smart homes is about to level-up.

Hundreds of different types of smart devices designed to automate tasks and route control to our smart phones and wearable devices have arrived on store shelves, just in time for the holiday shopping season.

Related: Extending digital trust globally

Some of these latest, greatest digital wonders will function well together, thanks to the new Matter smart home devices standard, which was introduced one year ago.

However, there’s still a long way to go to achieve deep interoperability of interconnected services in a way that preserves privacy and is very secure. Matter is a bellwether, part of a fresh slate of technical standards and protocols taking shape that will help to ingrain digital trust and pave the way for massively-interconnected, highly-interoperable digital services.

I recently discussed the current state of tech standards with DigiCert’s  Mike Nelson, Global Vice President of Digital Trust and, Dean Coclin, Senior Director of Trust Services, at DigiCert Trust Summit 2023. We drilled down on Matter as well as another new standard,  BIMI, which stands for “brand indicators for message?identification.” BIMI essentially is a carrot-on-a-stick mechanism designed to incentivize e-mail marketers to proactively engage in suppressing email spoofing. Here are my takeaways:

Matter picks up steam

Frustration with smart home devices should be much reduced in 2024. That’s because gadgets that bear the Matter logo are more readily available than ever.  Matter-compliant thermostats, pet cams, vacuum cleaners, kitchen appliances, TVs and security systems can now be purchased — and they can be seamlessly controlled by either Amazon’s Alexa or Apple’s Siri.

This is precisely what the consortium of software companies and device manufacturers, led Google, Amazon and Apple, set out to achieve when Matter was conceived four years ago. Following a successful debut in November 2022, Matter is picking up steam, Nelson told me.

“Millions of Matter devices have been provisioned and are out in the market,” he noted. “Consumer awareness is growing and evolving. It’s important that as consumers are shopping for these smart home devices that they learn to recognize the Matter trademark so that they can make educated decisions.”

Matter works much the way website authentication and website traffic encryption gets executed. It builds off and extends

Aproduct attestation authority, such as DigiCert, issues device attestation certificates for each Matter-compliant device. This step assures that the device meets an interoperability threshold as well as integrates robust security mechanisms at the device level. “Matter drives toward an improved smart home experience and it also raises the bar of security,” Nelson says.

Extending Matter

Notably, Google, Amazon and Apple have been cooperatively leading the campaign to persuade more device manufacturers to join the Connectivity Standard Alliance (CSA) and integrate Matter  into their product lines.

The hope is that Matter gives rise to an emerging technology ecosystem in which interoperability deepens not just in smart homes, but across multiple interconnected systems. Nelson outlined for me how CSA is acting on this vision by working on specifications to extend Matter beyond smart home devices to smart devices in healthcare facilities and commercial buildings.

Nelson

“The Matter spec starts with an objective of getting all manufacturers of smart home devices to get on board with CSA and become compliant with Matter,” Nelson says. “This same approach really could be applied to other industries.

“For instance, since a hospital, has similarities to a smart home, in that lots of different devices from different manufacturers need to connect securely and be fully interoperable, a CSA working group is looking at how to apply Matter to this use case to create interoperability and security for medical devices.

“We’re also moving on smart commercial buildings. You need secure interoperability between the smart devices used in these buildings such as security cameras, access controls, HVAC and emergency systems. This enables you to aggregate data and make informed decisions based on that. And it’s exciting that CSA is already working on those specs, as well.”

Carrot-on-a-stick

As Matter gains wider traction, it should give impetus to other standards and practices that similarly drive business value while simultaneously helping saturate security more pervasively in our increasingly complex digital systems.

BIMI is a case in point. This new standard provides a means for e-marketers to efficiently distribute their trademarked logo atop email messages sent to clients, suppliers and prospective customers via Gmail, Yahoo Mail and Apple Mail – in a way that also incrementally adds to security of the wider ecosystem.

The tech giants are leading the championing of BIMI as a brand awareness booster that also happens to serve as a trusted seal of authentication “Companies spend a lot of money on trademarks,” Coclin says, “and now they have a trusted way to widely display their trademark logo directly in the inbox of the customers and suppliers they’re communicating with.”

BIMI is a carrot-on-a-stick aimed at rallying efforts to repel an enduring threat: email spoofing. Astoundingly, some 68 percent of phishing attempts have never been seen before and phishing is 45 times more dangerous than having data exposed, according to research presented by Google and University of Florida professor Daniela Oliveira at Black Hat USA 2023.

“Spoofed email is getting through our firewalls and filtering systems because the attackers are constantly migrating and finding new ways to penetrate these systems,” Coclin says.

Support for DMARC

To implement BIMI, companies must embrace DMARC, which stands for “domain-based message authentication, reporting and conformance.” DMARC is a robust email authentication protocol that has been around for more than a decade. It can be cumbersome to set up and so adoption has been sluggish.

Coclin

“It’s a little bit of work to implement DMARC,” Coclin says, “But there are companies that can help you do it, and now once you do all that good work the reward is you can use BIMI to display the company’s trademarked logo far and wide.”

As BIMI helps heat up DMARC adoption, a couple of other email security mechanisms could gain wider adoption, as well, Coclin noted. One is “verified mark certificates,” or VMCs. These take the form of a blue check mark and a logo that appears on company-issued email; by hovering a cursor over the blue check mark, the user can visually verify that the email is coming from a specific domain and not an imposter.

Another is S/MIME, which stands for “secure/multipurpose internet mail extensions. S/MIME provides a means to encrypt sensitive emails while also  verifying the authenticity of the sender.

Email remains far and away the most widely used business communication tool, and thus a primary target. Ongoing attention to improving email security will be necessary, going forward, because threat actors are well-along leveraging machine learning to constantly iterate and scale up email attacks, Coclin argues.

“We’ve got a big problem right now because the attackers are using machine learning and AI to help them break through,” he says. “So the more we can do to help users identify spam emails, the better we become at helping them secure themselves.”

More so than ever, tech standards that embed security deeply – and provide business value –  need to be fine-tuned and widely adopted. I’ll keep watch and keep reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.


(LW provides consulting services to the vendors we cover.)

 

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone