Shelly IoT door controller config fail: leaving your garage, home and security exposed

Researchers report that Shelly Gen 4 devices keep their default open Wi‑Fi access point enabled even after connecting to a home network, allowing unauthenticated local attackers to control devices, pivot across internal networks, and even open doors or gates via simple HTTP requests; thousands of vulnerable SSIDs are geolocatable via wigle.net. The report includes PoC scripts, highlights related risks (e.g., TLS handling differences on G3), explains how to disable the AP as a mitigation, and documents a disclosure timeline where Shelly promised a firmware 1.8.0 fix but had not delivered as of Feb 2026.