Unitree Technology has responded to robot security concerns.
On September 29, Unitree Technology issued a statement on social platform X, acknowledging that some users have discovered security vulnerabilities and network-related issues when using Unitree robots. "We immediately began addressing these problems and have now completed the majority of fixes. These updates will be pushed in the near future," the company stated.
According to the IEEE Spectrum website, security researchers disclosed on September 20 that several Unitree robot models contain a critical vulnerability in their Bluetooth Low Energy (BLE) Wi-Fi configuration interface. This vulnerability affects Unitree's Go2 and B2 quadruped robots as well as G1 and H1 humanoid robots. Researchers indicated that since the vulnerability can be exploited wirelessly and allows complete control of affected platforms, it has worm-like propagation characteristics. This means "infected robots can simply scan for other Unitree robots within BLE range and automatically compromise them, creating a robot botnet that can spread without user intervention."
Unitree Technology stated that by default, its robot products are designed for offline use and do not connect to the internet. Only when customers need to use certain functions that require internet connectivity do they need to manually configure and authorize the robot to connect to the internet. Unitree noted that if a robot is set up and authorized to connect to the network, basic product information such as the robot's serial number and health status may be sent to servers (located in Singapore or local servers in respective countries) after successful connection.
The company said it will continue to improve permission management to minimize any possible misunderstandings, emphasizing that it has always placed high priority on protecting user privacy and ensuring network security and information security of products and systems. Without user authorization, no private or sensitive data will be collected.
The aforementioned researchers stated: "Robots are very complex systems with a wide attack surface that needs protection, and the most advanced humanoid robots are the embodiment of this complexity."
The IEEE Spectrum article also emphasized: "Unitree is not the only company offering complex advanced quadruped and humanoid robots, and similar vulnerabilities are likely (if not inevitable) to be found in other platforms... Robot companies rarely discuss security issues in public, even though the mere possibility of insecurity could cause damage. A runaway robot could potentially cause real physical danger."
This is not the first time Unitree has responded to robot security issues. As early as July 2022, Unitree issued a security statement, and on September 2 this year, it again released a statement regarding the network security of Unitree Go1 robot dogs. At that time, hackers had illegally obtained management keys for third-party cloud tunnel services used by Go1 and used these keys with advanced privileges to modify data and programs within user machines, thereby gaining operational control and video stream access to user machines, compromising customer privacy and security.
However, this security issue was limited to the Go1 robot dog series released in 2021 (discontinued for about two years), and subsequent robot series have never used this solution.
Professor Que Tianshu from the China Rule of Law Strategy Research Institute at East China University of Political Science and Law recently pointed out that humanoid robots with highly integrated complex technologies have become closely integrated with information technology fields such as cloud computing, mobile internet, Internet of Things, and artificial intelligence, facing multiple overlapping and interconnected risks.
First, in terms of computing systems, humanoid robots involve extensive computation and storage during operation, and resulting risks such as data tampering, malicious code injection, and hardware intrusion may directly threaten the integrity and availability of robots, potentially causing physical harm or property loss. Existing research shows that through denial of service attacks (DoS), API hijacking, man-in-the-middle attacks (MITM), virus infections, vulnerability exploitation and other attack methods, attackers can remotely paralyze or control industrial robots at software and hardware levels, causing situations including overload, loss of control, and attacks. In possible humanoid robot risk scenarios, hackers could attack robots to make them strike or cause accidents, or launch attacks against ordinary civilians.
Second, regarding artificial intelligence systems, large models serve as the "brain" of humanoid robots, making autonomous decisions and behaviors through learning and processing environmental information, and conducting human-machine interaction. If the AI algorithms adopted by robots have vulnerabilities or design flaws, they may lead to incorrect decisions and behaviors.
Third, humanoid robots are typically equipped with sensors, cameras, and microphones to collect and process data. This data may involve personal privacy, corporate or national secrets. Once this data is intercepted by hackers, it may lead to varying degrees of leakage and trigger a series of secondary security threats, such as deepfake fraud and biometric authentication breaches.
As humanoid robots gradually enter various fields of production and life, potential security risks will involve social life, industrial production, national defense security and other areas. For related technological security risks, comprehensive responses should be made from multiple levels including policy, institutional, legal, and technical aspects, such as promoting amendments to the "Cybersecurity Law," "Data Security Law," and "Personal Information Protection Law," incorporating the robotics field into specialized regulatory scope, and forming an effective legal framework that connects with industrial, data, artificial intelligence and other fields.
Comments