Security exposure? is it true that no credentials are required to override Shelly firmware / settings?

    Hi,

    in a separate thread in this forum I learned of mgos-to-tasmota  and it's ability to migrate Shelly's stock firmware through OTA.

    It's a great tool, I'm very happy and thankful it exists. It is allowing me to migrate from Shelly's stock firmware to the much more powerful Tasmota without having to remove the switches from the wall :thumbup:

    However, what surprised me (and scared at the same time) is the lack of authentication / credentials for doing this. Anybody in the SAME network with the right knowledge (guest, friend or hacker) could override the device settings and/or firmware of ALL Shelly switches anytime!

    If this is true I think it is a huge security exposure in Shelly's firmware :!::!: and users should be made aware of it!

    My expectation is that at least a password is required in order to override the firmware.

    Could anybody please confirm or correct this observation?

    Thanks!

    I just did this.

    My device had a password on the web page, and I did a firmware update on the 'wrong' device.

    Ended up cutting power to my desktop, and loosing the password I just entered on the device in the process.

    Yes I should have written it down somewhere safe (pw manager was not saved). Yes I should have verified that I entered the correct IP address, and not the one My PC was running off.

    Result: I'm not trying to reset the password on my brand new 2 devices. :-/

    Allegations suggest that FMWhatsApp may pose security risks, potentially allowing unauthorized access to firmware and settings without credentials. While these claims raise concerns, users should exercise caution and consider the implications before using modified applications, prioritizing privacy and security in their messaging choices. FM Whatsapp Download

    Einmal editiert, zuletzt von hery50 (3. Februar 2024 um 12:34)