ADVERTISEMENT

Pentesters turn up the heat on Shelly as Bluetooth thermostat flaw leaves smart homes exposed

A researcher has uncovered a design flaw in Shelly’s Wall Display that left users with a difficult choice: disable a key advertised feature, or leave their smart home device exposed to unauthenticated Bluetooth access.

shelly wall display

Image by Cybernews

Ann-Marie Corvin
Ann-Marie Corvin Senior Journalist
Jun 4, 2026 Updated: 9 June 2026 3 min read
Key takeaways:
Jurgita Lapienyte justinasv Izabele Pukenaite vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News
Add us as your Preferred Source on Google.

Bluetooth workaround creates flaw

"It’s all or nothing. Switch off Bluetooth, and you lose your temperature sensor. Leave Bluetooth on, and RPC is exposed.”
Alan Monie, security researcher, Pen Test Partners

Broader smart home network under attack

Hacking smart homes
Earlier this year Pen Test Partners uncovered a flaw in Shelly IoT devices that left millions of smart homes exposed. Image by Cybernews
ADVERTISEMENT
“If the attacker can reconfigure the network access points, they may be able to use the wall display to pivot onto the internal network."
Alan Monie, security researcher, Pen Test Partners

Quiet patching

Patch on software. Concept of software patching
According to Pen Test Partners, Shelly fixed the issue quietly meaning not all users are aware of urgent need to update.

Has your password leaked?

Enter your password to check if it has leaked. Having a leaked password creates the risk of identity theft, financial damages, and worse!
35,607,543,468
Exposed Passwords
Ad
Protect your personal information from cybercriminals and get 50% off the top-rated password manager
link_title link_title
  • Firmware 2.6.0 introduced a requirement for explicit user approval of RPC-over-BLE requests.
  • Firmware 2.7.0 further restricted BLE access by disabling it unless the user explicitly enables the feature.
  • Shelly notes that exploiting the issue requires physical proximity to the device.
  • The company says the changelog omission referenced by Pen Test Partners were unintentional and that the release notes have since been updated to explicitly document the security fix.
  • Shelly says security improvements remain an ongoing priority and that it continues to review and strengthen its products.

ADVERTISEMENT