MaDoS: Matter DoS attacks via secure channel status reports

Matter is a standard for interoperable smart homes, governed by a consortium of over 200 companies, like Apple, Google, and Amazon. A Matter network, called a fabric, can operate without an Internet connection and uses popular link layers such as Wi-Fi, Thread, or Bluetooth Low Energy. Matter provides a feature-rich application-layer protocol, including secure session-establishment mechanisms that should guarantee confidentiality, integrity, and availability. Prior work has partially explored DoS threats on Matter, although availability is essential and safety-critical for smart homes. For example, no prior work has covered Matter DDoS. We analyze the Matter standard and SDK and uncover two (D)DoS design vulnerabilities in the specification of Matter status report application-layer messages and an issue in the Matter discovery procedures. The three flaws (V1-V3) affect all versions of the Matter standard, including the latest (v1.4.2).

We show how to exploit V1-V3 via three new Matter DoS attack classes: rogue device (RD), spoofer (SP), and Machine-in-the-Middle (MI). Each class maps to a real-world attacker model; e.g., RD is a rogue device that eavesdrops on and injects unauthenticated, unencrypted Matter packets, but has no access to the target fabric. The attacks, dubbed MaDoS, exploit status reports to DDoS a Matter fabric by preventing its devices from establishing secure sessions, i.e., devices can't add new devices or manage existing ones. Since the attacks exploit design issues in the Matter standard, they are effective regardless of the Matter version (1.0-1.4.2), transport layer (TCP, UDP, BTP), or link layer (Wi-Fi, BLE, or Thread).

We create mados, a low-cost toolkit for evaluating our attacks in real or simulated environments. The toolkit enables packet injection, Machine-in-the-Middle (MitM), and spoofing attacks, and is reproducible because it uses open-source software and available hardware. We experimentally confirm the effectiveness of the MaDoS vulnerabilities and attacks on real-world devices using mados. We exploit 13 Matter devices communicating over Wi-Fi, BLE, and Thread. Our device sample spans Matter versions v1.0-v1.4.2. We also experimentally DDoS a fabric in a controlled environment, rendering its devices unresponsive by blocking all session establishment attempts. We discuss two practical fixes to prevent the attacks by properly specifying status report messages and authenticating operational discovery. We responsibly disclosed our findings to the Matter consortium.