TL;DR
- Shelly thermostat had RPC open over unprotected Bluetooth
- A result of a design issue which meant the thermostat overstated the temperature owing to self-generated heat. This required an external thermostat to correct, hence the Bluetooth/RPC issue
- This gave potential to pivot on to a home network & take control of Shelly and other devices
- Shelly have finally addressed the issue with updated firmware
- And, yet again, have failed to credit us with the finding!
Background
I recently wrote a blog post on the Shelly Gen 4 open access point issue. While I was investigating that, I started looking more broadly at the Bluetooth configuration across Shelly’s modern device range and found another issue, this time with the Wall Display.
The modern Shelly devices now include Bluetooth and by default (when using the web interface) Bluetooth is left enabled along with RPC (Remote Procedure Call) over Bluetooth. RPC can be manually disabled on all of the devices that we’ve looked at so far with the exception of the Shelly Wall Display.
The temperature sensor problem
The Wall Display has a built-in temperature sensor too, but after launch users began complaining that the temperature sensor was inaccurate. This is likely due to internal heat from the Wall Display. As a result, Shelly started to include a Bluetooth temperature sensor with all Wall Displays shown below:
This means that to retain advertised temperature monitoring functionality, Bluetooth must remain enabled on the Wall Display at all times. And unlike every other Shelly device, the Wall Display doesn’t allow you to disable RPC independently of Bluetooth. It’s all or nothing. Switch off Bluetooth and you lose your temperature sensor. Leave Bluetooth on and RPC is exposed.
What an attacker can do
So when using the Wall Display as intended it would be possible for an attacker within Bluetooth range to connect to the Wall Display and reconfigure any aspect of it. This includes connecting it to an attacker’s wireless network and gaining complete control over the device.
Disclosure timeline
16 February 2026: Notified Shelly via Facebook DM to the CEO with full details of the vulnerability
April 2026: Beta firmware 2.6.0 released by Shelly, including a fix described as “Fix missing Switch RPC service”. Shelly has also once again failed to credit us for the finding.
The fix and a word on transparency
Shelly has addressed the issue in beta firmware 2.6.0, and we’re glad to see it moving. However, the changelog entry “Fix missing Switch RPC service” gives users very little to go on. Anyone scanning release notes to decide whether to update urgently would have no idea this was a security fix, let alone one that left their device open to unauthenticated Bluetooth control.
Users should update to firmware 2.6.2 which is now out in the stable branch. In the meantime, if you have a Wall Display and don’t use the bundled Bluetooth temperature sensor, disabling Bluetooth entirely in Settings removes the risk.
Conclusion
This one is trickier than the Gen 4 open AP issue because the mitigations are in conflict with the product’s core functionality. Shelly sold the Wall Display with temperature monitoring as a feature, then had to retrofit it via Bluetooth and, in doing so, created a device that users genuinely cannot secure without sacrificing advertised functionality.
The fix in 2.6.2 is the right outcome. But clearer communication from Shelly both in the changelog and directly to customers would go a long way toward making sure people actually apply it.
If you have a Wall Display, update to 2.6.2. If you have other modern Shelly devices, check whether RPC over Bluetooth is enabled and turn it off.
