ADVERTISEMENT

Millions of smart homes at risk as Shelly flaw lets hackers open doors and garages

Ethical hackers have uncovered a flaw in a new generation of popular smart-home devices that could allow someone standing outside a property to open the owners’ doors, garages, or gates via WiFi.

Hacking smart homes

Image by Cybernews

Ann-Marie Corvin
Ann-Marie Corvin Senior Journalist
Feb 13, 2026 Updated: 17 February 2026 4 min read
Key takeaways:
jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News
Add us as your Preferred Source on Google.
top status bar shelly
Status bar is the only clue of additional access point

Pivoting to other IoT devices

“An often-overlooked issue of being able to compromise devices is that it’s likely also connected to another wireless network. This means that an attacker can pivot from one device to other devices on a different network.”
Pen Test Partners researcher Alan Monie
Shelly devices on wigle
Just some of the Shelly devices on wigle.net. PenTest Partners
ADVERTISEMENT
"We would like to explicitly clarify that throughout the manual configuration process the user is repeatedly warned that the device AP is open and unsecured. Multiple warning messages are shown during setup and must be intentionally ignored for the AP to remain accessible."
Shelly Support Team
  • If no password is configured, the device AP will automatically disable after 15 minutes
  • If the device has Wi-Fi credentials configured, the AP will not start again after restart unless the customer performs a factory or network reset
"In the Shelly Gen4 case, the concern isn’t just the initial setup access issue but what it enables. If a device exposes an open setup access point, a nearby attacker can get a foothold. From there, the real risk is lateral movement."
Ken Munro, founder at Pen Test Partners

ADVERTISEMENT