I recently sat down with Sam Gabbay, the co-founder and CEO of arre, to discuss TUO's process for delivering secure products.
arre makes smart home products that are stunningly designed—from the Matter-certified security inside to their elegantly unobtrusive outside. The products we tested paired immediately, balancing ease of use with exceptional customization for consumers who aren’t engineers.
How did they do it? Not by accident. arre’s strategy is to design and build uncompromising products that deliver an amazing customer experience every time.
The Matter protocol is an essential part of the equation, and arre partnered with DigiCert to enable Matter and get to market faster. You can purchase arre products at arreHome.com and Amazon.com, with more retailers signing up for launch in the coming months.
A: arre was born out of a need and necessity to solve a problem that we saw. And being from New York, we couldn’t think of a better place than this iconic city to build our product from the ground up, like so many buildings here are.
We tried to focus on aesthetics, and that translates from the exterior of the product to the interior integrity and to the software that’s the foundation for all of it. It’s a multi-layered process that we’re trying to keep consistent.
A: Short answer: making smart homes actually smart—and really simple. Our products have a simple and beautiful aesthetic on the outside, and they’re sophisticated and secure on the inside. That combination is the “smart” in a smart home.
A: You’re lying to yourself if you say security isn’t occasionally a roadblock, but we see it as an opportunity. Either way, you have to solve it.
I think one of the most important things, one of the most fundamental pieces of a product that we build, is security. We will never compromise on security—or privacy, for that matter.
We understand from a consumer's perspective and from a business perspective how important it is for those two things to come together. That’s something that we will never compromise on in any of our products. We try to keep that philosophy from when we started to as we grow continuously throughout everything that we do. But I’m surprised how often companies aren’t able to go from roadblock to opportunity—which turns simple software into bloatware and delays their products from getting to market.
A: Privacy and security. They’re two different things, but they go hand in hand. If you have a secure product, but it's not private, I almost wouldn't call it secure. If there are vulnerabilities, if there are back doors, if there's something that can happen to break the integrity of the product, I wouldn't call it secure. If it's not private, it's not secure, and if it's not secure, it's not private.
As a customer, if I buy a product from a retailer or online and I'm putting that product in my home, I'm assuming that there is some standard being put in there that's keeping it secure. That isn't always the case. That is something that we believe the consumer has a right to know about.
A: The Matter logo on our box is something that allows us to convey a bunch of things in one logo. The promise of Matter is to allow interoperability across multiple ecosystems. Before Matter existed, the way to build a smart home product would be number one, pick an ecosystem. You want Google, you’ve got to go that route. You want Amazon, you’ve got to go that route. You want Apple Home, which we love, you’ve got to go that route. There was no easy way to create one product that would be certified or easily certifiable across multiple ecosystems.
The promise of Matter allows a manufacturer like us and a company like us to create one product that I know will work across multiple platforms and ecosystems. Still, I would venture to say that the consumer should do their research on what is on the device and how that security is handled.
On our Amazon pages, for example, we say that our devices are trusted by DigiCert because we want that open and honest transparency with the customer so that they know not only that our devices are secure but to also look for it in other products they might consider. Because you don't know what sort of DIY security might be in the other products, you don't know how secure it is. Some of those products are not secure by design, and they don’t want to identify who their security partner is. They give you the illusion of security, but there's nothing real or trusted underneath it.
A: I don't believe you can have interoperability without security. I think PKI facilitates that magic. It allows an application layer like Matter to exist in a way where you can have one product that pairs across multiple ecosystems. And for the customer, well, that's the beauty of Matter and that's the beauty of what we do with our product is to make it as easy as possible, so they aren’t required to fully understand the process.
They shouldn't have to see what goes on underneath. They should simply be able to take the product out of the box—which is a beautiful box, by the way—scan the barcode with their phone, and be done with it.
Our products are designed in a way so that they fit in with your home and blend in. You set it and forget it, in some cases. With our temperature sensor, you want to mount it to your wall, you mount it to your wall. You want to put it on a stand on a shelf, it's there to work, it's there to exist, but it's not there to be intrusive in your life.
A: When we first started out, we didn't know exactly which direction to go when it came to security. We wanted the best, but we didn't know exactly where to turn.
DigiCert came in and showed us what they had and showed us that they could take what we had and get us up and running two months faster than the competition with cutting-edge security in our product.
It was a win-win. We got up and running as quickly as possible with DigiCert. Their platform enabled us to take what we had and basically just throw it away and just use them. We got the certificates, they showed us exactly what to do, and everything else was handled by us, which is exactly the philosophy that we at TUO want to deliver to our customers. For us to be treated in the same way we're treating our customer was something that we appreciated very much.
A: When I was building my software, I was building without the trusted certificates. I did that on purpose because when you're testing, you're testing. But when it comes to a production-ready product, if you get that product, unbox it, pair it, and it works the way that it should the first time, you obviously did something right.
We worked hard to get to that point where we opened the product for the first time, a completed product, a product with a trusted root CA or trusted root source for certificates on the device, paired it, did not get any errors, did not get any warnings, and we were so excited because it was as simple as we’d designed it to be and it was secure and interoperable. It checked all the boxes.
As an engineer, I didn’t assume that we would have something without any errors the first time. Obviously, we test and test because there are occasional problems and things come up that we solve for. But when we had a product that was ready to go and Matter-compliant, it was a magical experience for us. That's the kind of experience we wanted for the customer, and we're happy that we were able to partner with DigiCert to get that done right the first time.
A: By working directly with the team, we’ve taken what was already a simple process and made it even simpler. What would have taken me around two months to get up and running with the PKI solution, the CA routes and all that, that was done within a couple of days.
When it comes to generating certificates to put onto the device, that used to take a couple of hours to do, which was already a simple process. But when I attended DigiCert Trust Summit, I sat down with the team for 30 to 45 minutes, and we were able to take the couple of hours' worth of work and simplify it to 30 seconds. The sigh of relief when pushing the now one button it takes to generate certificates to load them on tens of thousands of devices, it was magic.
The tools that DigiCert has given me have enabled me to focus on what’s most important to me, which is designing beautiful products, focusing on the software, and ensuring that the product works as intended. All I have to do is click one button and within 30 seconds I can have thousands of certificates ready to be embedded on my devices for production.
I don't have to worry about security. I know I can go to sleep at night knowing that DigiCert is handling all that for me in the proper way. I don't have to handle audits. I don't have to handle the attestation. They're handling all of that. All I have to do is click one button and I'm off to the races.
A: A customer called and wanted to know if our smart button would pair with Samsung SmartThings, and we said, "Of course it does." They told us the use case, and it was for an individual who was nonverbal, and they wanted to use the button in a way for the person to communicate and send a message if something was wrong or if something was good.
Because the button allows for three different actions, they can single-press, double-press, or long-press, depending on their mood or their feeling or whatever they needed at that particular time. That was a magical moment for me personally.
We’ve heard use cases from people who were 23 all the way up to 80 years old. Another customer call was recently forwarded to me where our team thought they were helping troubleshoot the set-up process. After asking the usual questions to assess the situation, the customer said, “No, no, no, it’s working just fine. I’m calling because I love it.” To me, that was the ultimate validation.
Want to learn more about topics like IoT, PKI, and device trust? Subscribe to the DigiCert blog to ensure you never miss a story.