Security exposure? is it true that no credentials are required to override Shelly firmware / settings?

joseLRD

Hi,

in a separate thread in this forum I learned of mgos-to-tasmota and it's ability to migrate Shelly's stock firmware through OTA.

It's a great tool, I'm very happy and thankful it exists. It is allowing me to migrate from Shelly's stock firmware to the much more powerful Tasmota without having to remove the switches from the wall

However, what surprised me (and scared at the same time) is the lack of authentication / credentials for doing this. Anybody in the SAME network with the right knowledge (guest, friend or hacker) could override the device settings and/or firmware of ALL Shelly switches anytime!

If this is true I think it is a huge security exposure in Shelly's firmware and users should be made aware of it!

My expectation is that at least a password is required in order to override the firmware.

Could anybody please confirm or correct this observation?

Thanks!

blackthornedk

I just did this.

My device had a password on the web page, and I did a firmware update on the 'wrong' device.

Ended up cutting power to my desktop, and loosing the password I just entered on the device in the process.

Yes I should have written it down somewhere safe (pw manager was not saved). Yes I should have verified that I entered the correct IP address, and not the one My PC was running off.

Result: I'm not trying to reset the password on my brand new 2 devices. :-/

hugovsky

any news?

hery50

Allegations suggest that FMWhatsApp may pose security risks, potentially allowing unauthorized access to firmware and settings without credentials. While these claims raise concerns, users should exercise caution and consider the implications before using modified applications, prioritizing privacy and security in their messaging choices. FM Whatsapp Download