Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Hackers Could Unleash Chaos Through Backdoor in China-Made Robot Dogs

An undocumented remote access backdoor in the Unitree Go1 Robot Dog allows remote control over the tunnel network and use of the vision cameras to see through their eyes.

Unitree Go1 Robot Dog

Security researchers this week raised an alarm after finding hidden remote access tunnel service pre-installed on the Unitree Go1 robot dog, warning that the backdoor activates once the device detects internet connectivity.

According to documentation published by researchers Andreas Makris and Kevin Finisterre, the quadruped robot developed by the Chinese cvompany Unitree Robotics contains the undocumented tunnel service that automatically pings unitree.com to initiate its connection if a certain variable is enabled.

The researchers say the tunnel service uses CloudSail, a remote access solution developed by China-based Zhexi Technology.  While CloudSail is normally intended for legitimate remote management of devices, it is being used to grant external access to the robot dog.

“Anybody with access to the API key can freely access all robot dogs on the tunnel network, remotely control them, use the vision cameras to see through their eyes or even hop on the RPI via ssh,” the researcher warned.

“If this was abused or not does not matter in this case. The mere presence of this service without letting the user know is not a good practice and can be seen as malicious.”

“The decision to enable such functionality should always remain with the user, not the manufacturer,” Makris and Finisterre wrote in the report.

The device, which retails in the US for less than $4,000, also contains remnants of an older, inactive codebase for an alternative tunnel client, suggesting leftover development artifacts.

The researchers say data from the CloudSail API revealed that a total of 1,919 devices have connected to this service at some point, although only two remain currently active.

Advertisement. Scroll to continue reading.

“By using our own tunnel manager tool we are able to create a tunnel to any active client,” the researchers explained, noting they gained access to active clients that provided direct access to the robot’s web interface and live camera streams without the need for login credentials.

According to a post-mortem report, the robot dogs are also being shipped shipped with default SSH credentials. If these are not changed, attackers could gain access to the underlying Raspberry Pi, opening a pathway for lateral movement within local networks.

The discovery of this undocumented tunnel service, deployed without user notification or consent, represents a significant security risk, the researchers warned, noting the potential for remote exploitation at sensitive environments where these robot dogs might be used. 

The report also raises concerns that similar backdoors could exist in other Unitree products, including newer models like the Go2 or the company’s humanoid robots.

The researchers said the discovery raises numerous questions about the company’s intent. “Did Unitree want to include this for China only? Did they plan to roll out a remote control service to the public but never follow through? If it was meant for China only, why do all robot dogs around the world automatically enroll in the tunnel service? Is it intentional or just sloppy? Is this unfinished tunnel payment page just an excuse in case someone notices that there is a tunnel client pre-installed on the dogs?”

“We strongly advise everyone with such a robot to remove it from the network permanently, as well as examine all available logs to check if their network was breached,” the research team declared.

Related: Academics Devise Cyber Intrusion Detection System for Unmanned Robots

Related: New ‘LidarPhone’ Attack Uses Robot Vacuum Cleaners for Eavesdropping

Related: Legacy Programming Languages Pose Serious Risks to Industrial Robots

Related: Industrial Robotics – Are You Increasing Your Cybersecurity Risk?

Related: Flaws Open Telepresence Robots to Prying Eyes

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Wendi Whitmore has taken the role of Chief Security Intelligence Officer at Palo Alto Networks.

Phil Venables, former CISO of Google Cloud, has joined Ballistic Ventures as a Venture Partner.

David Currie, former CISO of Nubank and Klarna, has been appointed CEO of Vaultree.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.