How to setup Shelly device without compromising the WiFi password?

Configuration
1

I’m trying to add a Shelly Plus Plug S to HASS for local access only. Plugging it into the wall makes the Shelly spawn an unsecured WiFi network. Connecting to that lets me connect to http://192.168.33.1/ and then enter my WiFi SSID/password.

I can’t do that since it will compromise my WiFi password. The password will, during the configuration, be sent unencrypted for the world to see.

How do I add my device securely? Is there any good procedure?

2

Build a firewall or VLAN

Or do you mean? Disable that

afbeelding
afbeelding895×620 50.3 KB

3

What world ? 192.168.x.x is an unrouteable IP range, so it never leaves your network

4

No I just want to add the Shelly to my WiFi. To do that I need to provide the credentials. This is done by passing them over an unsecured WiFi over http during the seutp.

After the credentials are stored in memory I understand how to configure it.

5

I agree that the IP range is a local one. The problem is that it’s accessed over an unsecured WiFi-AP created by the Shelly and using http. It means that anything I send will be sniffable by my neighbors.

6

Try to find that access point outside. You probably won’t find it, the range is not so strong.

7

So security be whispering :slight_smile: I’m not really comfortable doing that. If that’s the only solution I’ll probably return the device instead.

8

Your choice. You can be to paranoid, and see danger where there is none, but it is your decision to make

4 Likes
9

Or configure the Shelly device on a different location with a router that is using the same WiFi credentials :wink: other neighbors :stuck_out_tongue:

10

Sure the probability of someone picking my secrets up is low. I just thought that there would be better solutions. HTTPS is not really a newcomer and PKI systems are common. Why design the device poorly when good security is easy to get?

11

Or flash it with ESPHome and use API call :stuck_out_tongue:

12

I think that is marketing :wink:

13

Because ESPs are not designed to do the heavy lifting of Https. They can, but on the expens of having to leave out other features in the firmware.
An ESP32 has 520Kb ram, it is not like a pc with GB of ram

14

I might do that. Taking the device apart and flashing using tiny solder point isn’t great though :smile: Shelly Plus Plug S - ESPHOME - #39 by D-a-n-e

15

You can enable password for the device AP

image
image1170×1269 91 KB

You should also take a look at „TLS Configuration” section in settings.