Home / cybersecurity / home security / network security / news / security

Could Your Home Security Be a Hidden Risk?

Security Flaw in Shelly Smart Home Devices Sparks Concern

Security researchers from a cybersecurity consulting firm have uncovered a significant vulnerability in Shelly smart home products, a European provider of home security systems. This issue affects over 5.2 million homes across Europe and could leave them exposed to potential breaches.

The problem lies in the design of Shelly’s Gen 4 smart home devices. According to Pen Test Partners, these devices keep an open wireless access point active even after they are connected to a home Wi-Fi network. This creates a hidden network that runs in the background without the user's knowledge or consent, posing a serious security risk.

In contrast, earlier models of Shelly devices automatically turned off the access point once they were connected to the Wi-Fi network. The current flaw, however, allows anyone outside a home to use the resident's Wi-Fi network to access their front door, garage, or gate. This opens the door to potential burglary and break-ins.

A Deeper Security Risk

Pen Test Partners’ investigation reveals that this vulnerability goes beyond a simple design flaw. The Gen 4 device can act as a gateway to access nearly all smart home devices, regardless of the brand. With many European homes using mixed-generation networks that include both Shelly and other products, this could lead to significant security gaps.

Despite being informed of the issue, Shelly has not taken immediate remedial action. Instead, the company has released firmware version 1.8.0, which is intended to address the vulnerability. However, users must manually disable the access points themselves, a step that most homeowners may not be aware of.

Ken Munro, founder of Pen Test Partners, commented that the company should launch a communication campaign to inform users about the open access point and how to disable it. He suggested that failing to do so might impact Shelly’s reputation.

Shelly’s Response

Shelly stated that users who follow the official setup process through their mobile app automatically have the access point disabled. For those who choose manual configuration, warnings are provided to secure the access point. An upcoming firmware update will also automatically disable access points after a timeout period.

A Shelly spokesperson emphasized that all configuration flows and digital assets within the Shelly ecosystem provide clear guidance on securing devices. They added that any configuration choices made outside of recommended workflows fall under user preference and are beyond direct platform control.

The company also mentioned that future firmware updates will allow the access point to be automatically disabled after a predefined timeout unless it is needed for configuration or provisioning.

Growing Concerns Over Connected Device Vulnerabilities

This issue is part of a broader trend where an increasing number of smart home and connected devices have been found to have significant vulnerabilities. Examples include Amazon’s Ring doorbells and Dahua security cameras.

Munro noted that his team tests various smart home systems and has encountered similar issues in solar inverters and even in cars over a decade ago. Data leakage from these devices is another critical concern, as usage and behavioral data can sometimes be accidentally leaked.

“Smart device manufacturers collect usage data to improve their products, but they often forget that individual data can be quite informative,” Munro said.

As the reliance on smart home technology grows, ensuring robust security measures becomes increasingly important. The discovery of this vulnerability in Shelly devices highlights the need for ongoing vigilance and proactive steps by both manufacturers and users to protect their homes and personal information.