shelly-script-examples Add support for encryption

If I am not mistaken, encrypted communication is not supported by these scripts, because it says in the code:

 //can not handle encrypted data
    if (result["encryption"]) return result;

So security relies entirely on the MAC address comparison, right? That is pretty weak. Could you please add support for encrypted payloads to the scripts collection?

Oct 08 '24 19:10 g-mocken

I'm also interested in this feature. BLU motion or BLU window should always use encrypted communication, so the Shelly scripting should support encryption.

Nov 04 '24 07:11 t0urista

Have you checked here? Shelly BLE Encryption API Seems like encryption is supported.

Nov 25 '24 12:11 NoUsername10

Hi Indeed the Shelly BLU do support encrypted BTHome,
BUT the Shelly scripting language that can run on the Shelly devices such as the switch only supports UNencrypted BTHome (see message from g-mocken here above) . so if encrypted communication is enabled on a Shelly BLU device, it can no longer be used to trigger action in a Shelly script So the request here is to get encrypted BTHome supported by the Shelly scripting

Nov 25 '24 13:11 t0urista

Hello. Thank you for pointing it out, i assumed that the current script did not support encryption in code, not i reality! Well that is a feature i really want, it's especially important for alarm systems.

I was just trying to implement encryption for a project and could not get that to work, so +1 for this.

Nov 27 '24 13:11 NoUsername10

Offering only unsecure communication is a major omission for the BTHome BLE products and needs to be fixed. It is relatively easy to clone an BTHome BLE button's messages and by doing that potentially opening garage doors or bypass home security.

Until encryption is supported BTHome BLE product's use cases are limited and weaken the security of Shelly's ecosystem.

Shelly products should offer and encourage the use of secure communication.

Dec 23 '24 23:12 hwmaier

Hi,

Gen2 (Plus) devices lack of free space, we can not add such a feature easily. Anyway Gen3 and Pro devices supports encrypted bthome/ble devices via feature called BTHome components. And we will add aes apis in the scripts soon.

Have a nice day.

Dec 24 '24 06:12 taulfsime

that's good news !!! i am looking forward to test this enhancement...

Dec 24 '24 15:12 t0urista

Gen2 (Plus) devices lack of free space, we can not add such a feature easily. Anyway Gen3 and Pro devices supports encrypted bthome/ble devices via feature called BTHome components. And we will add aes apis in the scripts soon.

I wish I would have known before I bought a hole bunch of gen 2 devices that BLE encryption is only available for gen 3 devcies.

Dec 24 '24 23:12 hwmaier

Would it not be possible to do the encrypt / decrypt on a (1) Gen 3 device and run the script / functions from that device? Receive the encrypted messages -> decrypt in Gen 3 device -> perform actions. I mean, all messages are received by the BLE listener no?

Jan 01 '25 15:01 NoUsername10

@NoUsername10 If you have to install a Gen3 device next to a Gen2 device to offload the encryption work then it defeats the purpose for my opinion and you can use a Gen3 device in its own right and not use a Gen2 device. The idea was using Gen2 devices standalone for security sensitive applications rather having to combine a Gen2 with a Gen3.

Even for non-security stuff, I don't like when any kid can turn on and off my lights with a simple BT cloning device.

I still think the proper solution is to have the decryption feature added to Gen2. The AES code is already in the flash as it used for Wifi, so I can't see that this would add a lot of additional memory.

Jan 02 '25 02:01 hwmaier

@hwmaier No, i meant install 1 Gen 3 device to cover all encryption, the BLE messages are sent to all devices no? This was as a workaround if you have Gen 2 devices installed, and need encryption working without changing your devices.

Then send actions through wifi, not direct connections to devices from BLE devices though, but no need to change devices.

Jan 03 '25 10:01 NoUsername10

@NoUsername10 This is possible in some configurations if you have a Gen 3 within the same BT range of the BT sensor and then also within Wifi range of the Gen 2 device. Unfortunately this is not always the case. For example a driveway entry gate or a garage door where you would want to use encrypted BT from a BT button to prevent unauthorised access to the house.

Jan 03 '25 11:01 hwmaier

@hwmaier Yes, there are some use cases that are not optimal, that was only as a workaround for your situation. Even in your example, this would require to only switch 1 device at the gate and add 1 at the hose to decrypt the message.

If the bluetooth signal is received in a gen 2 device, the payload goes to all listeners if I'm not mistaken? So your Gen 3 device could sit anywhere (within wifi range) to do the decryption and still work with the Gen 2 devices that control the garage door.

Jan 07 '25 13:01 NoUsername10

Beside the discussion of gen3 or gen2. Has anyone managed to encrypt BLU Data in scripts yet?

Mar 27 '25 09:03 sepphutt

Hi, we are adding aes support to scripts for gen3+ devices with 1.6 fw version. After that, the scripts will be able to handle encrypted devices.

If any of you want to adapt the scripts in advance, send me an email or personal message, and I will send you the alpha 1.6 version.

Thank you

Mar 29 '25 13:03 taulfsime

Hello, i would be intrestet to test the feature. I've send you a mail. BR Sepp

Mar 31 '25 11:03 sepphutt

FW 1.6 has been out for quite a while now, but the scripts have not been updated, yet. Any new insights?

Jul 04 '25 17:07 g-mocken