I have to make a decision for whether Homematic IP or Matter devices.
Noteworthy, I’m based In Europe and I would trust the manufacturer EQ3 as a German company under quite strict local law and privacy rules.
However, Homematic IP is a proprietary protocol which I also see critical.
Now Matter would be open, but most interesting manufacturers are based overseas. Matter is IP-based and if I get it right, there will always be a data connection between the manufacturer and the device (say, in contrast to a Zigbee device contacted to ZHA).
So devices might phone home and - in extreme cases - might be controlled by the manufacturer due to a direct IP connection.
Am I right in this point? Would there be options in HA’s Matter server to control traffic to the Internet?
My understanding after reading around the past few years is that:
Matter is only “open” in that it is published openly, and is free to create a server/controller. But devices running Matter must be certified by the CSA which requires paying a fee. (there are four test IDs available which is how Tasmota is able to use Matter)
Matter is IP-based and therefore devices are capable of phoning home if the manufacturer wants them to, but there is no requirement to do so. I have Matter devices on a completely isolated VLAN with no default route and they work fine.
There is a requirement for the Matter server/controller to periodically check the decentralized compliance ledger (DCL) to check for updates and ensure devices haven’t had their certificates revoked, e.g. for being malware. Any member of the CSA can host a copy of the DCL, so while the Matter server needs Internet access, it only is required to access whatever server is hosting its DCL, not a specific manufacturer.
Matter comes from the same org that brought you Zigbee, adding the certification stability of Z-Wave, and the ubiquity of IP routing. It’s not perfect, and is still massively incomplete, but as of now it still has the backing of all the major players. However if you are considering selling an IP device, ESPhome offers more flexibility and is truly open.
Okay, thanks. I know that technically, no Internet connection is needed.
But would in a naive standard configuration calling home be possible? And are there simple approaches to avoid this?
And I assume that firmware updates via Matter protocols would always need an open path to the manufacturer - so keeping the pathway open would probably be a desirable behavior for many…
Any device with an IP stack could connect to another, but that’s what ACLs and firewall rules are for. HA is not a networking device, nor is Matter so such controls need to be implemented on your network (router, firewall, Layer 3 switch, etc - e.g. a Unifi gateway or OpenWRT).
Some folk (including peterxian above ) put IoT devices on a separate network (VLAN + firewall rules / ACLs) without Internet access to prevent external access, exfiltration, and unwanted updates. Of course, wanted updates need a connection - and again peterxian has given a very detailed explanation above.
Matter devices are no different from other IPv4 / IPv6 kit, but the standard is a lot better than many alternate protocols with useful stuff like security, updates, multi-vendor / multi-platfor support (Matter v1.4), and options to remove single points of failure like hubs / controllers.
It can connect to multiple networks, but not route traffic between them.
The only related part of Matter is a Thread Border Router device which bridges the Thread radio protocol to Matter using IP, but this is only for the Matter protocol.
If you squint and look sideways, a TBR looks a little like a firewall router as Thread’s 802.15.4 radio uses IPv6 addressing, but the TBR can only route the Matter protocol.
Matter products can be updated with firmware that remove features from the Matter and only make them available from the vendor cloud, but so can Zigbee actually, and it would kill a brand pretty quickly if they did so, because everyone using the brand products on other Matter fabrics would be affected.
What you should be aware of with Matter is what they provide now and how they have adapted Matter and also how they are updated.
Eve products have already established a pretty good support with Matter where the firmware updates comes with new and better features and also move stuff from their cloud solution to Matter when possible. Eve Energy could not provide energy readings in the beginning because the Matter protocol did not support it, but once it did, Eve updated the Eve Energy.
Eve energy also use the CSA DCL for downloads, which means any Matter device that support this will be able to update Eve products, including HA.
I have a couple of Onvis S4 smart plugs and I was surprised that the update process required an Apple Matter Hub to be successful, which kind of make it an Apple-exclussive Matter protduct, since there might always be a chance of a critical update, and that was also the case with Onvis S4, where the first firmware at times refused to forward packets, but still accepted to receive them.
this post!
) put IoT devices on a separate network (VLAN + firewall rules / ACLs) without Internet access to prevent external access, exfiltration, and unwanted updates. Of course, wanted updates need a connection - and again peterxian has given a very detailed explanation above.