Unitree G1 Security Disaster
Summary
Recent security vulnerabilities have been confirmed across Unitree's robot fleet, including the G1, H1, GOT, B2, and R1 models. The primary flaw involves remote code execution (RCE) on the main board, which runs proprietary code and is typically inaccessible to users. This RCE is facilitated by hard-coded, identical AES keys used for Bluetooth Low Energy (BLE) connections across all Unitree robots. Attackers can inject arbitrary terminal commands as root into the Wi-Fi credentials field during a BLE connection, effectively gaining full control. Additionally, the robots exhibit persistent telemetry, sending data to Unitree servers even after a reboot, contradicting Unitree's claim that robots are "designed for offline use." While Unitree acknowledged "network related issues" and promised fixes, the fundamental problem of hard-coded AES keys remains unaddressed, enabling man-in-the-middle attacks and forced Wi-Fi credential updates.
Key takeaway
For robotics engineers and researchers using Unitree robots, you must assume your robot is vulnerable to remote code execution and unauthorized data transmission. Immediately disable Bluetooth or physically remove the module to prevent local RCE. To mitigate persistent telemetry, configure Wi-Fi credentials to a non-existent network, as the robot will attempt to connect and transmit data even after a reboot, regardless of explicit authorization.
Key insights
Hard-coded AES keys in Unitree robots enable remote code execution and persistent, unauthorized telemetry.
Principles
- Proprietary main boards can hide critical vulnerabilities.
- Hard-coded, identical keys create fleet-wide security risks.
Method
Remote code execution is achieved by connecting via BLE using hard-coded AES keys, then injecting root commands into the Wi-Fi password field. Persistent telemetry is demonstrated by monitoring network traffic after updating Wi-Fi credentials via BLE.
In practice
- Disable Bluetooth or desolder modules to mitigate BLE vulnerabilities.
- Use junk Wi-Fi credentials to prevent unauthorized telemetry.
- Monitor network traffic for unexpected outbound connections.
Topics
- Remote Code Execution
- Bluetooth Low Energy
- Unitree Robots
- Robot Telemetry
- Cybersecurity Vulnerabilities
Best for: Robotics Engineer, AI Security Engineer, Software Engineer
Related on AIssential
Editorial summary, takeaway, and curation by AIssential. Original article published by sentdex.