This post is also available in:
עברית (Hebrew)
A recent discovery by security researchers at Berlin-based startup thinkAwesome GmbH has revealed a significant security flaw in the popular Unitree Go1 robot dogs. The four-legged robots, known for their affordability and versatility, contain an undocumented remote access tunnel service that could allow unauthorized individuals to gain control of the devices and access their cameras remotely.
The robots, produced by Chinese company Unitree Robotics, are marketed to various sectors, including universities, research institutions, and even military applications. With models ranging from $2,500 for the basic “Air” version to $8,500 for the more advanced “Edu” model, they have gained attention for their relatively low cost compared to other robotic platforms.
At the heart of the issue is a service called CloudSail (Zhexi), a remote access tunnel service that was pre-installed on the devices. This service, typically aimed at providing remote access for IoT devices and other systems, allows connections across different networks, bypassing firewalls or NAT restrictions. Security experts Andreas Makris and Kevin Finisterre, who discovered the vulnerability, found that anyone with the default credentials and a specific API key could control the robots and access their cameras.
The researchers were able to identify 1,919 vulnerable devices, some of which were located outside of China, including in academic and corporate networks worldwide. While the researchers did not find evidence of intentional backdoor implantation, they attribute the vulnerability to inadequate code review practices at Unitree Robotics. The security flaw poses serious risks, particularly in sensitive environments, where robot dogs could be remotely accessed and controlled by unauthorized parties.
In light of the findings, the researchers urge users of the Unitree Go1 to remove the devices from their networks and examine their systems for potential breaches. The risk remains that similar vulnerabilities could exist in newer versions of the robot or other products from the manufacturer.
