A significant design flaw in Shelly’s new Gen 4 home security devices could leave millions of European homes open to attacks, claims Pen Test Partners.
Security researchers at a cybersecurity consulting firm claim they have discovered a major vulnerability in Shelly smart home products, a European home security system provider.
Currently, Shelly products are used in more than 5.2 million European homes. This design issue creates an invisible backdoor into private homes that most users will never find, Pen Test Partners alleges.
Shelly’s new Gen 4 smart home devices keep the open wireless access point needed for initial configuration switched on permanently, even after being properly connected to a home Wi-Fi network, alleges Pen Test Partners. This leaves a hidden network running in the background without user knowledge or consent, long after setup.
In contrast, the company’s previous models automatically turned this access point off after the device was connected to a home Wi-Fi network.
This flaw can allow anyone standing outside a private home to use the resident’s Wi-Fi network to open their front door, garage door or gate, creating a physical security risk of burglary and break-ins.
However, the issue runs far deeper. A wider investigation carried out by Pen Test Partners claims it is more than a simple design problem.
The current Gen 4 vulnerability means that a single affected device can be used as a springboard to gain access to nearly every smart home device- regardless of whether they are Shelly products or not.
With many smart homes across Europe still running mixed-generation networks, both with Shelly and other products, this can cause a serious lack of protection- both online and offline.
No remedial action taken yet
Pen Test Partners said it had notified Shelly of this security gap, and the company said Firmware 1.8.0, a series of device updates, would address this flaw.
This has left users to manually disable the access points themselves, which most homeowners may not know they need to do.
“They should be doing a big communication campaign to explain that an access point was left open and explain how to deactivate it. They haven’t done it because it’ll likely impact their reputation,” Ken Munro, founder at Pen Test Partners, told Euronews Next.
Shelly told Euronews Next that users who follow official setup methods through their mobile app automatically have the access point disabled.
Users who choose manual configuration receive warnings to secure the access point. An upcoming firmware update will auto-disable access points after a timeout period.
"We would like to emphasise that all configuration flows and digital assets within the Shelly ecosystem - including our mobile app and web cloud interface- provide clear guidance to users on securing their devices," a Shelly spokesperson told Euronews Next.
"Any configuration choices made outside of these recommended workflows, including leaving the access point unsecured, are ultimately a matter of user preference and fall outside the scope of direct platform control.
"As with any connected device, users remain free to configure their hardware according to their own needs, and we actively encourage them to follow the security recommendations provided during setup," it added.
Shelly also highlighted that it would be introducing an improvement which will enable the access point to be automatically disabled after a predefined timeout, unless it is explicitly needed for configuration or provisioning, in an upcoming firmware release.
Rising trend of vulnerabilities in connected devices
In the last few years, an increasing number of smart home and other connected devices have come under fire for significant vulnerabilities. This includes Amazon’s Ring doorbells and Dahua security cameras.
“Our area of expertise is connected devices and we test all sorts of smart home systems," Munro noted.
“We’ve seen similar issues in solar inverters and even found a similar vulnerability in a car more than 10 years ago.”
Data leakage, especially when it comes to usage and behavioural data, from these smart home devices, is another key issue.
“Sometimes we find people’s usage and behaviour data leaked accidentally. Smart device manufacturers will collect usage data to improve their products, and they’ll often forget that individual data can be quite informative,” Munro said.
