Security researchers this week raised an alarm after finding hidden remote access tunnel service pre-installed on the Unitree Go1 robot dog, warning that the backdoor activates once the device detects internet connectivity.
According to documentation published by researchers Andreas Makris and Kevin Finisterre, the quadruped robot developed by the Chinese cvompany Unitree Robotics contains the undocumented tunnel service that automatically pings unitree.com to initiate its connection if a certain variable is enabled.
The researchers say the tunnel service uses CloudSail, a remote access solution developed by China-based Zhexi Technology. While CloudSail is normally intended for legitimate remote management of devices, it is being used to grant external access to the robot dog.
“Anybody with access to the API key can freely access all robot dogs on the tunnel network, remotely control them, use the vision cameras to see through their eyes or even hop on the RPI via ssh,” the researcher warned.
“If this was abused or not does not matter in this case. The mere presence of this service without letting the user know is not a good practice and can be seen as malicious.”
“The decision to enable such functionality should always remain with the user, not the manufacturer,” Makris and Finisterre wrote in the report.
The device, which retails in the US for less than $4,000, also contains remnants of an older, inactive codebase for an alternative tunnel client, suggesting leftover development artifacts.
The researchers say data from the CloudSail API revealed that a total of 1,919 devices have connected to this service at some point, although only two remain currently active.
“By using our own tunnel manager tool we are able to create a tunnel to any active client,” the researchers explained, noting they gained access to active clients that provided direct access to the robot’s web interface and live camera streams without the need for login credentials.
According to a post-mortem report, the robot dogs are also being shipped shipped with default SSH credentials. If these are not changed, attackers could gain access to the underlying Raspberry Pi, opening a pathway for lateral movement within local networks.
The discovery of this undocumented tunnel service, deployed without user notification or consent, represents a significant security risk, the researchers warned, noting the potential for remote exploitation at sensitive environments where these robot dogs might be used.
The report also raises concerns that similar backdoors could exist in other Unitree products, including newer models like the Go2 or the company’s humanoid robots.
The researchers said the discovery raises numerous questions about the company’s intent. “Did Unitree want to include this for China only? Did they plan to roll out a remote control service to the public but never follow through? If it was meant for China only, why do all robot dogs around the world automatically enroll in the tunnel service? Is it intentional or just sloppy? Is this unfinished tunnel payment page just an excuse in case someone notices that there is a tunnel client pre-installed on the dogs?”
“We strongly advise everyone with such a robot to remove it from the network permanently, as well as examine all available logs to check if their network was breached,” the research team declared.
Related: Academics Devise Cyber Intrusion Detection System for Unmanned Robots
Related: New ‘LidarPhone’ Attack Uses Robot Vacuum Cleaners for Eavesdropping
Related: Legacy Programming Languages Pose Serious Risks to Industrial Robots
Related: Industrial Robotics – Are You Increasing Your Cybersecurity Risk?
