Código HTML do Conteúdo

Post: Critical flaws in Chinese robots. A zombie robot bonet can be remotely controlled.

<div> <div data-element_type="widget" data-id="914a4f5" data-widget_type="shortcode.default"> <div> <div> <p><span><b><a href="https://www.redhotcyber.com/post/author/redazione/" target="_blank">Redazione RHC</a>:28 September 2025 18:12</b></span></p> <p>On September 27, 2025, new concerns emerged about robots produced by China&rsquo;s <a href="https://www.unitree.com/" target="_blank">Unitree Robotics</a> , after serious vulnerabilities were reported that could expose thousands of devices to remote control and malicious use.</p> <p>According to <a href="https://spectrum.ieee.org/unitree-robot-exploit" target="_blank"><i>IEEE Spectrum</i></a> on Thursday, September 25, researchers have discovered <strong>a critical flaw in the Bluetooth Low Energy (BLE) system used by the company&rsquo;s robots</strong> for initial Wi-Fi network setup. This weakness <em>would allow an attacker to gain root privileges on the devices&rsquo; Android operating system, gaining complete control over them.</em></p> <p>Security researcher <a href="https://arxiv.org/html/2509.14139v3" target="_blank">Andreas Makris</a> explained that once a robot is compromised, <em>the infection can automatically spread to other Yushu devices</em> within Bluetooth range, turning them into a botnet capable of replicating without human intervention.</p> <p>The authentication mechanism appears particularly fragile: <em>Unitree robots allow access simply by encrypting a hardcoded string, &ldquo;unitree.&rdquo;</em> This <strong>allows an attacker to insert arbitrary code disguised as the WiFi network&rsquo;s SSID and password.</strong> When the robot attempts to connect, <em>the code would be executed with administrator privileges, without any additional verification.</em></p> <p>Makris added that <strong>such an exploit could even prevent users from updating their firmware,</strong> leaving devices permanently vulnerable and opening the door to mass takeover. <strong>Affected models include the Go2 and B2 quadruped robot dogs and the G1 and H1 humanoid robots</strong> . This is the first time a flaw of this magnitude has been publicly disclosed on a commercial humanoid robotics platform.</p> <p>Researchers contacted <em>Unitree Robotics as early as May 2025, but after several unsuccessful attempts to communicate, the company reportedly stopped responding last July.</em> The lack of cooperation prompted the public disclosure of the vulnerability. Makris also noted that <strong>he had previously identified a backdoor in the Yushu Go1 model,</strong> raising questions about the origin of these flaws: whether they are <em>the result of negligent development or intentional implementations.</em></p> <p>A further report came from <strong>Victor Mayoral-Vilches</strong> , founder of Alias Robotics, who claimed that Yushu robots <em>are sending telemetry data to Chinese servers, which could include audio, video, and spatial information</em> . Mayoral-Vilches highlighted how these devices <strong>are widely used globally, but many users are unaware of the risks associated with their use</strong> . While awaiting official responses, the expert advises users to connect the robots only to isolated Wi-Fi networks and to disable Bluetooth connectivity as an immediate protection measure.</p> <p>The concerns aren&rsquo;t limited to personal matters. In August 2025, <strong>the city of Taipei deployed the Go2 model for urban patrol, raising questions about data security.</strong> On May 5, 2025, the U.S. House of Representatives Special Committee on Strategic Competition with China <em>sent a letter to the Secretary of Defense, the Secretary of Commerce, and the Chairman of the Federal Communications Commission, warning that Yushu &ldquo;poses a growing threat to national security.&rdquo;</em></p> <p>The company&rsquo;s robots have reportedly already been deployed in sensitive environments <em>such as prisons, police forces, and US military bases. The presence of backdoors and the possibility of remote surveillance have led some observers to call them &ldquo;Trojan horses with cameras.&rdquo;</em></p> <p>To date, Unitree Robotics has not released any official comment.</p> <div> <div> <div> <div> <p><b><span>Redazione</span></b><br /><span>The editorial team of Red Hot Cyber consists of a group of individuals and anonymous sources who actively collaborate to provide early information and news on cybersecurity and computing in general.</span></p> <p><a href="https://www.redhotcyber.com/post/author/redazione/" target="_blank">Lista degli articoli</a></p> </div> </div> </div> </div> </div> </div> </div></div>