shelly wall display — Image by Cybernews

A researcher has uncovered a design flaw in Shelly’s Wall Display that left users with a difficult choice: disable a key advertised feature, or leave their smart home device exposed to unauthenticated Bluetooth access.

A flaw in Shelly’s Wall Display left users stuck with an unenviable choice: keep Bluetooth on and risk unauthenticated access, or turn it off and lose the temperature feature.
The bug was serious enough that an attacker nearby could potentially reconfigure the device, move it onto a rogue network, and use it as a way into the wider home network.
Shelly quietly fixed the issue in newer firmware, so advice for users is simple: update fast, because many may not realize it was a security patch.

Key Takeaways by nexos.ai, reviewed by Cybernews staff.

Pen Test Partners uncovered a vulnerability affecting Shelly's Wall Display smart home controller that could have allowed attackers within Bluetooth range to take control of the device, reconfigure its network settings, and compromise the victim’s home network.

Don't miss our latest stories on Google News

According to the pentester company’s security researcher, Alan Monie, the manufacturer added a Bluetooth temperature sensor to all Wall Displays after users reported inaccurate readings.

Monie speculates that this decision might have been prompted by the device's heat, which could have influenced temperature measurements.

However, this workaround introduced a new security dilemma: users had to keep Bluetooth enabled permanently to retain temperature-monitoring functionality.

Bluetooth workaround creates flaw

Monie found that the Wall Display exposed Bluetooth services that allowed nearby devices to issue commands and reconfigure settings.

Unlike other modern Shelly devices, users could not switch off this access without disabling Bluetooth entirely.

"It’s all or nothing. Switch off Bluetooth, and you lose your temperature sensor. Leave Bluetooth on, and RPC is exposed.”
Alan Monie, security researcher, Pen Test Partners

It’s all or nothing,” Monie wrote in a blog post. “Switch off Bluetooth, and you lose your temperature sensor. Leave Bluetooth on, and RPC is exposed.”

Broader smart home network under attack

Monie has a track record of uncovering vulnerabilities in Shelly products. In February, the pentester discovered a flaw in Gen 4 Shelly devices that could have affected millions of smart homes.

The vulnerability, which has since been patched, left WiFi setup access points accessible after installation.

This could have enabled nearby attackers to control doors, garages, and gates – or pivot into home networks.

It was during this previous investigation that Monie started looking more broadly at the Bluetooth configuration across Shelly’s modern device range and found the Wall Display issue.

Like the Gen 4 issue, the temperature sensor issue leaves networks vulnerable to attack, Monie said.

Hacking smart homes — Earlier this year Pen Test Partners uncovered a flaw in Shelly IoT devices that left millions of smart homes exposed. Image by Cybernews

“It would be possible for an attacker within Bluetooth range to connect to the Wall Display and reconfigure any aspect of it. This includes connecting it to an attacker’s wireless network and gaining complete control over the device.”

The researcher added that the issue also matters because the Wall Display sits on the home network – creating a route from local access to broader network exposure.

“If the attacker can reconfigure the network access points, they may be able to use the wall display to pivot onto the internal network."
Alan Monie, security researcher, Pen Test Partners

Quiet patching

The vulnerability was disclosed on February 16th, and Shelly issued a fix in its April beta firmware 2.6.0 release, flagged to users as “Fix missing Switch RPC service.” However, Monie was critical of the fact that Pen Test partners received no credit from Shelly, and the patch was issued without acknowledging the issue.

The fact that it was updated quietly without broader communication to its user base means that not everyone will be aware of the flaw or realize how important it is to update.

Patch on software. Concept of software patching — According to Pen Test Partners, Shelly fixed the issue quietly meaning not all users are aware of urgent need to update.

“Anyone scanning release notes to decide whether to update urgently would have no idea this was a security fix, let alone one that left their device open to unauthenticated Bluetooth control,” Monie added.

If users have a Wall Display, the advice is fairly simple: update to 2.6.2. If they have other modern Shelly devices, check whether RPC over Bluetooth is enabled and turn it off.

“If you have a Wall Display and don’t use the bundled Bluetooth temperature sensor, disabling Bluetooth entirely in Settings removes the risk,” Monie adds.

Has your password leaked?

Enter your password to check if it has leaked. Having a leaked password creates the risk of identity theft, financial damages, and worse!

35,607,543,468

Exposed Passwords

The researcher remains critical of the Bulgarian-based manufacturer whose products are used in almost 5.2 million homes globally.

“Shelly sold the Wall Display with temperature monitoring as a feature, then had to retrofit it via Bluetooth and, in doing so, created a device that users genuinely cannot secure without sacrificing advertised functionality.”

Cybernews has reached out to Shelly for comment and will update this article if a response is received.

Unlock more exclusive Cybernews content on YouTube.