diff --git a/CHANGES b/CHANGES
index 280f7cc..1c7286a 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,7 @@
 
+Close a security hole where you could trivially spoof an encrypted meter
+by sending an unencrypted telegram with the same id.
+
 Jacek27 added support for the Munia temp/hygrometer. Thanks Jacek27!
 
 Improved verbose logging to show if you are not in the dialout
diff --git a/simulations/simulation_aes_removed.msg b/simulations/simulation_aes_removed.msg
index 16827fa..c4a35fb 100644
--- a/simulations/simulation_aes_removed.msg
+++ b/simulations/simulation_aes_removed.msg
@@ -1,3 +1,4 @@
 telegram=|6E4401068888888805077A850060852F2F|80C84AFD9308020043820183000A5415586302FCA91510F01200007B01F0120000C91200006D110000D20E0000F5090000B30400006D0000002B0000002B0000002B0000002B0000002B000000A085D9A103FFFFFFFFFFFFFFFFFFFF0A8D|
 telegram=|2A442D2C998734761B168D2091D37CAC21576C78|02FF207100041308190000441308190000615B7F616713|
 telegram=|AE44EE4D777777773C077A4400A0252F2F|6D142F570000426C01014C130000000082046C41218C0413000000008D04931E3A3CFE0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000046D030C6F2303FD6C401F0082206C6B210BFD0F0200018C4079000000008310FD31E0040082106C6F238110FD610102FD66030002FD1700012F2F2F2F2F2F2F2F2F2F|
+telegram=|2e44EE4D777777773C077ab54800002f2f02fd1b110002fd971d01000efd3a2200000000008e40fd3a000000000000|
diff --git a/src/wmbus.cc b/src/wmbus.cc
index 90d898e..e10901c 100644
--- a/src/wmbus.cc
+++ b/src/wmbus.cc
@@ -1419,9 +1419,10 @@ bool Telegram::potentiallyDecrypt(vector<uchar>::iterator &pos)
         {
             if (meter_keys && meter_keys->hasConfidentialityKey())
             {
-                // Oups! There this telegram is already decrypted, but
-                // we have specified a key! Do not accept this telegram!
-                warning("(wmbus) WARNING! telegram should have been encrypted, but was not! "
+                // Oups! This telegram is already decrypted (but the header still says it should be encrypted)
+                // this is probably a replay telegram from --logtelegrams.
+                // Since we have specified a key! Do not accept this telegram!
+                warning("(wmbus) WARNING! telegram should have been fully encrypted, but was not! "
                         "id: %02x%02x%02x%02x mfct: (%s) %s (0x%02x) type: %s (0x%02x) ver: 0x%02x\n",
                             dll_id_b[3], dll_id_b[2], dll_id_b[1], dll_id_b[0],
                             manufacturerFlag(dll_mfct).c_str(),
@@ -1538,6 +1539,22 @@ bool Telegram::potentiallyDecrypt(vector<uchar>::iterator &pos)
             debug("(diehl) decryption successful\n");
         }
     }
+    else
+    if (meter_keys && meter_keys->hasConfidentialityKey())
+    {
+        // Oups! This telegram is NOT encrypted, but we have specified a key!
+        // Do not accept this telegram!
+        warning("(wmbus) WARNING! telegram should have been encrypted, but was not! "
+                "id: %02x%02x%02x%02x mfct: (%s) %s (0x%02x) type: %s (0x%02x) ver: 0x%02x\n",
+                dll_id_b[3], dll_id_b[2], dll_id_b[1], dll_id_b[0],
+                manufacturerFlag(dll_mfct).c_str(),
+                manufacturer(dll_mfct).c_str(),
+                dll_mfct,
+                mediaType(dll_type, dll_mfct).c_str(), dll_type,
+                dll_version);
+        return false;
+    }
+
     return true;
 }
 
diff --git a/tests/test_aes.sh b/tests/test_aes.sh
index 3eafc65..07aab86 100755
--- a/tests/test_aes.sh
+++ b/tests/test_aes.sh
@@ -31,12 +31,13 @@ TESTNAME="Test that telegram really is encrypted"
 TESTRESULT="ERROR"
 
 cat > $TEST/test_expected.txt <<EOF
-(wmbus) WARNING! telegram should have been encrypted, but was not! id: 88888888 mfct: (APA) Apator, Poland (0x601) type: Water meter (0x07) ver: 0x05
+(wmbus) WARNING! telegram should have been fully encrypted, but was not! id: 88888888 mfct: (APA) Apator, Poland (0x601) type: Water meter (0x07) ver: 0x05
 (meter) newly created meter (ApWater 88888888 apator162) did not handle telegram!
 (wmbus) WARNING! decrypted payload crc failed check, did you use the correct decryption key? e1d6 payload crc (calculated a528) Permanently ignoring telegrams from id: 76348799 mfct: (KAM) Kamstrup Energi (0x2c2d) type: Cold water meter (0x16) ver: 0x1b
 (meter) newly created meter (Vatten 76348799 multical21) did not handle telegram!
-(wmbus) WARNING! telegram should have been encrypted, but was not! id: 77777777 mfct: (SON) Sontex, Switzerland (0x4dee) type: Water meter (0x07) ver: 0x3c
+(wmbus) WARNING! telegram should have been fully encrypted, but was not! id: 77777777 mfct: (SON) Sontex, Switzerland (0x4dee) type: Water meter (0x07) ver: 0x3c
 (meter) newly created meter (Wasser 77777777 supercom587) did not handle telegram!
+(wmbus) WARNING! telegram should have been encrypted, but was not! id: 77777777 mfct: (SON) Sontex, Switzerland (0x4dee) type: Water meter (0x07) ver: 0x3c
 EOF
 
 $PROG --format=json simulations/simulation_aes_removed.msg \