A critical vulnerability in Shelly smart home devices has left over 5.2 million European homes at risk of unauthorized access. Security researchers at Pen Test Partners discovered that the latest generation (Gen 4) of Shelly devices keeps a hidden Wi-Fi access point permanently active, even after connecting to a home network. This backdoor allows anyone nearby to bypass security measures, potentially gaining control of doors, gates, and other connected devices.
The Hidden Backdoor Explained
Unlike older Shelly models which automatically shut down the temporary access point after setup, Gen 4 devices leave it running indefinitely. This design flaw creates an invisible entry point for hackers, allowing them to exploit the homeowner’s network without their knowledge.
The consequences are severe. An attacker could use this open access point to unlock smart locks, open garage doors, or disable security systems – all without triggering alarms or leaving obvious traces.
Broader Network Risk
The problem extends beyond Shelly devices. A single compromised Gen 4 device can act as a gateway to an entire smart home network, including devices from other manufacturers. Many European households mix smart home brands, making them particularly vulnerable. The issue is not just about one product failing; it’s about cascading failures across interconnected systems.
Delayed Response, User Responsibility
Pen Test Partners notified Shelly of the vulnerability, prompting the company to release Firmware 1.8.0 as a fix. However, the update requires manual installation, and most users are unaware they need to take action. According to Ken Munro, founder of Pen Test Partners, Shelly has been slow to communicate the issue due to reputational concerns.
Shelly claims their mobile app guides users to secure devices properly, but this relies on following official setup procedures. Users who manually configure their devices receive warnings about securing the access point. An upcoming firmware update will automatically disable the open access point after a timeout period, but until then, homeowners must take initiative.
The Growing Trend of IoT Vulnerabilities
This isn’t an isolated incident. Smart home devices are increasingly targeted by hackers, with Amazon Ring doorbells and Dahua security cameras among recent victims. The underlying issue is a rush to market without prioritizing basic security measures.
Manufacturers often collect user data to improve products, but this data leakage can reveal behavioral patterns that hackers exploit. The problem isn’t just hardware flaws; it’s also poor data management practices.
“We’ve seen similar issues in solar inverters and even found a similar vulnerability in a car more than 10 years ago.” – Ken Munro, Pen Test Partners
The rise of connected devices means more attack surfaces for malicious actors. Until manufacturers prioritize security by default, consumers remain vulnerable.
The bottom line is clear: smart home security is only as strong as its weakest link. Until companies address these fundamental flaws and consumers take proactive steps to secure their networks, smart homes will remain a prime target for hackers.
