Shelly to release firmware update to address flaw in smart home devices

Published: 17 February 2026
Smart home widgets
Image by Shutterstock

Smart home manufacturer Shelly says it will release a firmware update next week to automatically disable unsecured setup access points on its Gen 4 devices, following scrutiny from security researchers, who still believe this amounts to a “flaw.”

Cybernews previously reported on research from Pen Test Partners highlighting that some Shelly Gen4 devices could keep their setup WiFi access point active after installation, potentially allowing someone nearby to connect locally to the device and interact with connected systems if the access point was left unsecured.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News
Google News Follow us
ADVERTISEMENT

In a statement issued to Cybernews, the company said the behavior stems from an intentional installation feature rather than a security flaw.

“The reported behavior concerns the device's WiFi Access Point (AP) mode. This is not a vulnerability, backdoor, or unauthorized access mechanism,” Shelly said.

“It is an intended installation feature present since Gen2 devices, designed to simplify deployment and configuration – especially in multi-device installations.”

The firm explained that the AP is designed to remain available during manual installation so users and installers can complete configuration tasks, including firmware updates and network checks. It added that customers are notified during setup.

“We would like to explicitly clarify that throughout the manual configuration process, the user is repeatedly warned that the device AP is open and unsecured.”

Shelly also stressed that access requires physical proximity.

“We would also like to emphasize that the described behavior does not allow remote internet access and requires physical proximity to the device network.”

The upcoming firmware release is intended to reduce the likelihood that the access point remains active longer than necessary.

ADVERTISEMENT

“Next week, we will release a firmware update introducing an automatic protection mechanism,” Shelly said.

“If no password is configured, the device AP will automatically disable after 15 minutes. If the device has WiFi credentials configured, the AP will not start again after a restart unless the customer performs a factory or network reset.”

The company said the changes are designed to “strengthen security while preserving the practical installation workflow required by both professionals and advanced users.”

Usability feature or flaw?

However, Ken Munro, founder at Pen Test Partners — the firm that published the research — still maintains that the behavior amounted to a flaw in its Gen 4 products and that it wasn't simply a usability feature.

“It’s a security flaw, it was accepted by Shelly as one, and they are fixing the security flaw in order to address the vulnerability,” he said.

“It would be a usability feature if the open access point was automatically taken down after configuration. Leaving it up is a vulnerability,” he added.

Munro also claims that while Shelly’s Gen 4 products did come with a warning, it simply wasn’t clear enough.

“There is a warning deep in the user manual, but there is no warning during installation via the web interface,” he said.

ADVERTISEMENT

Unlock exclusive Cybernews content on YouTube.

Share
Post
Share
Share
Share
More from Cybernews
Companies using Fable 5 beware: it’s collecting your data, and there are no exceptions
World’s leading mathematicians ridicule AI hype in high-IQ declaration
Democrats are far more worried than Republicans that AI will take jobs, new poll finds
Europe’s tech revolution feels like Soviet déjà vu
New York demands advertisers use “synthetic performer” label or else
The surprising way Elon Musk is powering your next holiday flight
ADVERTISEMENT