Add support for encryption

[g-mocken]

If I am not mistaken, encrypted communication is not supported by these scripts, because it says in the code:

 //can not handle encrypted data
    if (result["encryption"]) return result;

So security relies entirely on the MAC address comparison, right? That is pretty weak. Could you please add support for encrypted payloads to the scripts collection?

[t0urista]

I'm also interested in this feature. BLU motion or BLU window should always use encrypted communication, so the Shelly scripting should support encryption.

[NoUsername10]

Have you checked here?
Shelly BLE Encryption API
Seems like encryption is supported.

[t0urista]

Hi
Indeed the Shelly BLU do support encrypted BTHome,
BUT the Shelly scripting language that can run on the Shelly devices such as the switch only supports UNencrypted BTHome (see message from g-mocken here above) . so if encrypted communication is enabled on a Shelly BLU device, it can no longer be used to trigger action in a Shelly script
So the request here is to get encrypted BTHome supported by the Shelly scripting

[NoUsername10]

Hello.
Thank you for pointing it out, i assumed that the current script did not support encryption in code, not i reality!
Well that is a feature i really want, it's especially important for alarm systems.

I was just trying to implement encryption for a project and could not get that to work, so +1 for this.

[hwmaier]

Offering only unsecure communication is a major omission for the BTHome BLE products and needs to be fixed. It is relatively easy to clone an BTHome BLE button's messages and by doing that potentially opening garage doors or bypass home security.

Until encryption is supported BTHome BLE product's use cases are limited and weaken the security of Shelly's ecosystem.

Shelly products should offer and encourage the use of secure communication.

[taulfsime]

Hi,

Gen2 (Plus) devices lack of free space, we can not add such a feature easily. Anyway Gen3 and Pro devices supports encrypted bthome/ble devices via feature called BTHome components. And we will add aes apis in the scripts soon.

Have a nice day.

[t0urista]

that's good news !!!
i am looking forward to test this enhancement...

[hwmaier]

Gen2 (Plus) devices lack of free space, we can not add such a feature easily. Anyway Gen3 and Pro devices supports encrypted bthome/ble devices via feature called BTHome components. And we will add aes apis in the scripts soon.

I wish I would have known before I bought a hole bunch of gen 2 devices that BLE encryption is only available for gen 3 devcies.

[NoUsername10]

Would it not be possible to do the encrypt / decrypt on a (1) Gen 3 device and run the script / functions from that device?
Receive the encrypted messages -> decrypt in Gen 3 device -> perform actions.
I mean, all messages are received by the BLE listener no?

[hwmaier]

@NoUsername10
If you have to install a Gen3 device next to a Gen2 device to offload the encryption work then it defeats the purpose for my opinion and you can use a Gen3 device in its own right and not use a Gen2 device. The idea was using Gen2 devices standalone for security sensitive applications rather having to combine a Gen2 with a Gen3.

Even for non-security stuff, I don't like when any kid can turn on and off my lights with a simple BT cloning device.

I still think the proper solution is to have the decryption feature added to Gen2. The AES code is already in the flash as it used for Wifi, so I can't see that this would add a lot of additional memory.

[NoUsername10]

@hwmaier
No, i meant install 1 Gen 3 device to cover all encryption, the BLE messages are sent to all devices no?
This was as a workaround if you have Gen 2 devices installed, and need encryption working without changing your devices.

Then send actions through wifi, not direct connections to devices from BLE devices though, but no need to change devices.

[hwmaier]

@NoUsername10 This is possible in some configurations if you have a Gen 3 within the same BT range of the BT sensor and then also within Wifi range of the Gen 2 device. Unfortunately this is not always the case. For example a driveway entry gate or a garage door where you would want to use encrypted BT from a BT button to prevent unauthorised access to the house.

[NoUsername10]

@hwmaier Yes, there are some use cases that are not optimal, that was only as a workaround for your situation.
Even in your example, this would require to only switch 1 device at the gate and add 1 at the hose to decrypt the message.

If the bluetooth signal is received in a gen 2 device, the payload goes to all listeners if I'm not mistaken?
So your Gen 3 device could sit anywhere (within wifi range) to do the decryption and still work with the Gen 2 devices that control the garage door.