Could a humanoid robot be converted into a weapon in less than a minute? Chinese cybersecurity researchers have demonstrated that the answer is affirmative, and this has significant implications for robot safety. In a video, Qu Shipei, a cybersecurity expert at Darknavy, took control of a humanoid robot named Unitree in less than a minute. The indicator light of the robot changed from blue to red, and it ceased to work under the control of its authorized remote controller. Instead, the robot moved towards a reporter with a raised fist under the control of Qu Shipei.
The attack involved the following two steps, described by Xiao Xuangan of Darknavy. The attacker first had remote access to the robot’s control system. Then, by bypassing the interface provided by the robot’s manufacturer, the attacker entered direct motor control instructions to the execution unit. The attacker could then make the robot behave erratically and threaten the safety of the people around it without the attacker necessarily gaining the prior permission of the robot’s operator. The fundamental flaw here lies in the fact that many robots designed with the intention of commercial sales come equipped with interfaces designed to facilitate their programmer’s work (such as the ability to log in remotely or access the execution unit, which have the effect of significantly increasing the attack surface whenever such robots begin interacting with their environment.
These weaknesses in Unitree robots are not just theoretical. There has been found to be a critical vulnerability in the Bluetooth Low Energy (BLE) provisioning protocol used in Unitree ’s G1, H1, R1 humanoid robots and Go2, B2 quadruped robots. They all accept unvalidated SSID and password input, leading to command injection attacks via payloads such as $(cmd) ; #’. Yet all BLE traffic is encrypted with hardcoded AES keys/IVs shared among the whole robot fleet, resulting in zero entropy. So it’s possible for an attacker in close proximity to gain root-level code execution and persistent access via SSH or custom credentials. This issue has been dubbed UniPwn and it’s wormable, which allows an infected robot to scan for other robots in close proximity to be compromised automatically in an robot botnet.
Besides control hijacking, Unitree’s systems have been identified to support the streaming of multi-modal telemetry data like audio, video, LIDAR point cloud, IMU orientation, torque, and service state at periodic intervals to remote Chinese servers. This practice occurs without the knowledge or consent of users, which creates potential issues regarding GDPR and CCPA compliance and other privacy laws. The communication of telemetry data relies on MQTT brokers using ports 43.175.228.18:17883 and 43.175.229.18:17883, which operate at speeds in excess of 1 Mbps.
Hardware vulnerabilities add to the problem. The Unitree G1 computer module’s processing component uses a Rockchip RK3588 SoC also featuring debug connectors in JST packages, unpopped JTAG connectors, as well as accessible UART interfaces operating at 115200 baud rates. This creates an opportunity for an attacker to directly capture memory readings, modify firmware images, or circumvent the bootstrap authentication process by connecting them. The sensor component involving depth cameras by Intel D435i, MEMS microphones, and GNSS receivers broadcasts messages in DDS topics without any encryption.
Under an engineering consideration, this perfect storm of usable network protocols, vulnerable firmware, and interacting developer interfaces is a direct violation of defense-in-depth principles. Even professional standards, such as IEC 62443, recommend multiple layers of protection: identification and authentication, protection of integrity, controlled flow of data, and proper response to incidents. In robotics, this must all begin to be incorporated in the design process from day one, and cannot simply be added retroactively. The functional safety standard, such as IEC 61508, requires security threat analysis, which must occur when foreseeable risks exist, but this is precisely what is occurring in many robotics companies considering cyber-security an afterthought.
This vulnerability is escalated by the fact that these are cyber-physical systems because robots are involved. It is important to note that these are not your typical computer systems because they can cause physical harm should they be attacked. The “barrel principle” is therefore valid here because the security of the entire robot will be dependent on its weakest link.
Research focusing on the security of industrial robots using robotics has identified the importance of segregating robot networks from the rest of the infrastructure, the importance of multi-factor authentication, the disabling of unused interfaces, and the use of encryption on all communications. Another aspect that has emerged is the use of Adaptive Defense, frameworks that make use of Cybersecurity AI to deal with the exploitation abilities.
Darknavy offers concrete evidence of the fact that the age of the connected humanoid means vulnerabilities are not just data breaches they pose immediate safety risks. With robots increasingly being introduced in public spaces and strategic infrastructure, the industry is now faced with an urgent imperative: either build robots that are secure or prepare to see a hacker’s one-minute hack turn a helpful machine into something deadly.
