Cybersecurity Roboticsthe leading robot cybersecurity lab

Humanoid robots as attack vectors

arXiv · 2025

Abstract. We present a systematic security assessment of the Unitree G1 humanoid showing it operates simultaneously as a covert surveillance node and can be purposed as an active cyber operations platform. Initial access can be achieved by exploiting the BLE provisioning protocol which contains a critical command injection vulnerability allowing root access via malformed Wi-Fi credentials, exploitable using hardcoded AES keys shared across all units. Partial reverse engineering of Unitree’s proprietary FMX encryption reveal a static Blowfish-ECB layer and a predictable LCG mask—enabled inspection of the system’s otherwise sophisticated security architecture, the most mature we have observed in commercial robotics. Two empirical case studies expose the critical risk of this humanoid robot: (a) the robot functions as a trojan horse, continuously exfiltrating multi-modal sensor and service-state telemetry to 43.175.228.18:17883 and 43.175.229.18:17883 every 300 seconds without operator notice, creating violations of GDPR Articles 6 and 13; (b) a resident Cybersecurity AI (CAI) agent can pivot from reconnaissance to offensive preparation against any target, such as the manufacturer’s cloud contr

Full text transcribed from the arXiv (ar5iv) HTML of the original paper.

Abstract

We present a systematic security assessment of the Unitree G1 humanoid showing it operates simultaneously as a covert surveillance node and can be purposed as an active cyber operations platform. Initial access can be achieved by exploiting the BLE provisioning protocol which contains a critical command injection vulnerability allowing root access via malformed Wi-Fi credentials, exploitable using hardcoded AES keys shared across all units. Partial reverse engineering of Unitree’s proprietary FMX encryption reveal a static Blowfish-ECB layer and a predictable LCG mask—enabled inspection of the system’s otherwise sophisticated security architecture, the most mature we have observed in commercial robotics. Two empirical case studies expose the critical risk of this humanoid robot: (a) the robot functions as a trojan horse, continuously exfiltrating multi-modal sensor and service-state telemetry to 43.175.228.18:17883 and 43.175.229.18:17883 every 300 seconds without operator notice, creating violations of GDPR Articles 6 and 13; (b) a resident Cybersecurity AI (CAI) agent can pivot from reconnaissance to offensive preparation against any target, such as the manufacturer’s cloud control plane, demonstrating escalation from passive monitoring to active counter-operations. These findings argue for adaptive CAI-powered defenses as humanoids move into critical infrastructure, contributing the empirical evidence needed to shape future security standards for physical–cyber convergence systems.

Figure 1: Humanoid Robot Architecture: Internal system structure showing hardware layer, Linux kernel, master service orchestration, and service hierarchy (left), and high-level ecosystem with communication paths showing authorized cloud services, telemetry servers, and internal components including obstacle avoidance, path planning, and speech recognition with DDS/ROS2 compatibility (right). Critical finding: Persistent telemetry connections to external servers transmit robot state and sensor data without explicit user consent.

Introduction

This technical brief summarizes the findings from Alias Robotics’ security assessment in combination with researchers Andreas Makris3 and Kevin Finisterre2 independent findings of the Unitree G1 humanoid robot. Refer to the full report and for more details. Our methodology builds upon established prior robotics security assessment practices combining static firmware analysis, binary reverse engineering of the 9.2 MB master_service orchestrator, runtime network traffic analysis, and BLE protocol exploitation to systematically evaluate the platform’s security architecture and more contemporary research on Cybersecurity AI . Five critical findings emerged:

The remainder of the brief walks through the platform’s anatomy, BLE provisioning vulnerabilities, the FMX cryptanalytic analysis, the telemetry pipeline, and validated attack vectors before closing with what the dual-threat reality means.

Platform Anatomy

Hardware Baseline

Hardware analysis reveals the G1’s compute platform centers on a Rockchip RK3588 SoC (quad-core Cortex-A76 @ 2.4GHz + quad-core Cortex-A55 @ 1.8GHz) with 8GB LPDDR4X RAM and 32GB eMMC storage. Physical security weaknesses include exposed JST debug connectors, unpopulated JTAG pads, and accessible UART interfaces operating at 115200 baud. The sensor array comprises Intel RealSense D435i depth cameras (1280×720 @ 30fps depth, 1920×1080 @ 30fps RGB), dual MEMS microphones, 9-axis IMU, and GNSS receiver—all publishing to DDS topics on the local network. Some of these sensors are susceptible to established attack vectors including optical channel exploitation and acoustic manipulation .

BLE Provisioning Vulnerability

The robot’s Bluetooth Low Energy provisioning interface, accessible on models G1, H1, and R1 (also applicable to Go2 and B2 legged robots), contains a critical command injection vulnerability. The Wi-Fi configuration protocol accepts SSID and password fields without sanitization, allowing attackers to inject shell commands using the pattern ";$(command);#". All BLE traffic uses AES-CFB encryption with a static key (df98b715d5c6ed2b25817b6f2554124a) and IV (2841ae97419c2973296a0d4bdfe19a4f) hardcoded across the entire fleet, reducing effective entropy to zero. Exploitation requires only BLE proximity and knowledge of these universal credentials, enabling remote code execution with root privileges through the provisioning daemon. The vulnerability persists across firmware versions, with successful exploitation granting persistent access via SSH, credential modification, or arbitrary command execution \({}^{\ref{fn:unipwn}}\) .

Service Orchestration

The 9.2 MB master_service binary supervises 26 daemons grouped into priority, initialisation, and runtime pools. Runtime profiling recorded ai_sport consuming roughly 145% CPU (multi-core), state_estimator near 30%, with persistent load from robot_state, vui_service, webrtc_bridge, and chat_go. Their configuration archives are wrapped by FMX and therefore inherit the weaknesses documented in Section 3.

Communication Surfaces

Multiple live channels operate simultaneously:

The overlap between unencrypted local buses and authenticated cloud uplinks enables the cross-layer attacks explored later in this brief.

FMX Cryptanalysis

Designated “FMX”, the Unitree’s encryption employs a dual-layer architecture for configuration protection. Our partial reverse engineering revealed the outer layer uses Blowfish-ECB with a fleet-wide static key, while the inner layer implements a Linear Congruential Generator (LCG) for obfuscation as depicted in Figure 2. While we successfully broke the outer encryption layer and identified the LCG algorithm parameters, complete reversal of the seed derivation mechanism remains unfinished.

Layer 2 (Outer): Static Blowfish Encryption—FULLY BROKEN

Key: 44c56a97ccf33d585a91c18e1c72382b
Mode: ECB (no IV), Status: COMPROMISED

Refer to caption
Figure 2: FMX encryption layers reverse-engineered showing partial compromise of Layer 1 (LCG transform) and full compromise of Layer 2 (Blowfish-ECB).

Layer 1 (Inner): LCG Obfuscation—PARTIALLY BROKEN

Telemetry Exposure

Captured Data Surface

Our SSL_write instrumentation on 9 September 2025 captured a 10-minute telemetry session, revealing structured JSON payloads of 4.5–4.6 KB transmitted at 300-second intervals. Each frame contained:

The telemetry architecture employs a dual-channel design: periodic MQTT state reports (300-second intervals) complement continuous DDS streams carrying real-time sensor data. The DDS topics including audio (rt/audio_msg), video (rt/frontvideostream), LIDAR point clouds (utlidar/cloud), and proprioceptive feedback enable passive extraction of this data by simply listening to network traffic on the local network segment.

Exfiltration Channels and Throughput

Two MQTT endpoints anchor the exfiltration pipeline:

  1. 1.

    43.175.228.18:17883: primary broker for robot_state_service (approximately 1.03 Mbps during capture).

  2. 2.

    43.175.229.18:17883: secondary broker for ota_boxed failover (approximately 0.39 Mbps steady state).

The chat_go service maintains a WebSocket connection to 8.222.78.102:6080 with SSL verification disabled, enabling conversational transcripts and control messages to transit outside the MQTT path. All connections auto-recover within seconds of disruption, reinforcing the platform’s always-on data posture.

Legal and Sovereignty Exposure

Streaming multi-modal telemetry to Chinese infrastructure invokes that country’s cybersecurity law, mandating potential state access. In European deployments the absence of consent or transparency mechanisms contravenes GDPR Articles 6 and 13, while California operators lack the opt-out required by the CCPA. Sensitive facilities face an additional national-security risk: continuous audio, video, spatial maps, and actuator states can be relayed off-site in real time with no user awareness.

Attack Vectors: Dual-Threat Humanoid Platforms

The G1 ultimately behaved as a dual-threat platform: covert surveillance at rest, weaponised cyber operations when paired with the right tooling. Two case studies illustrate the spectrum of risk.

Case Study 1: Humanoids as Surveillance Trojan Horses

Network analysis conducted in September 2025 documented the G1’s persistent connectivity behavior: MQTT client processes (robot_state_service PID 1226, ota_boxed PID 691) establish TLS 1.3 connections to servers at 43.175.228.18:17883 and 43.175.229.18:17883 within 5 seconds of system initialization. Our SSL_write instrumentation on 9 September captured telemetry transmissions at 300-second intervals (configured via ReportInterval parameter), each containing comprehensive system state.

While our limited telemetry inspection didn’t allow us to confirm this, we observed the following surveillance channels in the robot’s computational graph:

Observed surveillance channels:

Given the covert nature of the robot data collection, we argue that the channels described above could be used to conduct surveillance on the robot’s surroundings, including audio, visual, and spatial data. This combination enables silent meeting capture, document imaging, facility mapping, and behavioural profiling—everything needed for corporate espionage—while routing the results offshore without operator awareness.

Case Study 2: Weaponized Cybersecurity AI Platform

We deployed the Alias Robotics Cybersecurity AI (CAI) framework directly on the G1’s Rockchip RK3588 processor to evaluate autonomous exploitation capabilities. The CAI agent, building upon LLM-powered penetration testing approaches , executed a systematic four-phase assessment—reconnaissance, vulnerability analysis, exploitation preparation, and attack surface mapping—producing the following findings:

The CAI leveraged the robot’s authenticated position within Unitree’s infrastructure to enumerate attack vectors without triggering defensive mechanisms. This demonstration validates the dual-use risk: platforms designed for legitimate telemetry can be repurposed for offensive operations. The autonomous nature of CAI-driven attacks—operating at machine speed without human intervention—necessitates equivalent defensive capabilities.

Conclusion: The Dual Threat and the Cybersecurity AI Imperative

This paper presents a systematic security assessment of the Unitree G1 humanoid robot platform, demonstrating its dual functionality as both a surveillance vector and an active cyber operations platform. Through static analysis and runtime behavioral observation, we conducted partial reverse engineering of Unitree’s proprietary FMX encryption scheme, enabling comprehensive evaluation of the platform’s security architecture. Our analysis indicates this represents the most sophisticated security implementation observed in commercial robotics platforms to date, much more mature than the industry average as depicted in Table 1.

Feature G1 Robot Industry Average
Encrypted Config ×
Dynamic Credentials ×
Hardware Binding \(\sim\)
Multi-layer Defense ×
No Hardcoded Secrets ×
Table 1: Security feature comparison with industry standards.

Despite this robust security posture, we identified vulnerabilities that enable the robot to function as an attack vector, validated through two empirical case studies: (a) trojan horse deployment for covert data exfiltration and (b) platform compromise for lateral movement operations. Network traffic analysis via SSL_write capture over a 10-minute observation period confirmed continuous telemetry transmission to remote servers (43.175.228.18:17883 and 43.175.229.18:17883), transmitting multi-modal sensor data and service state information at 300-second intervals without explicit user consent or notification mechanisms. This data collection architecture presents potential violations of privacy regulations including GDPR Articles 6 (lawfulness of processing) and 13 (information to be provided). Beyond passive surveillance documentation, we operationalized a Cybersecurity AI (CAI) agent on the Unitree G1 platform to conduct reconnaissance and prepare exploitation vectors against the manufacturer’s cloud infrastructure, demonstrating escalation pathways from covert data collection to active offensive cyber operations. Our findings indicate that securing humanoid robots requires fundamental paradigm shifts toward adaptive Cybersecurity AI frameworks capable of addressing the unique challenges inherent in physical-cyber convergence systems. This research contributes empirical evidence critical for developing comprehensive security standards as humanoid robots transition from research platforms to operational deployment in critical infrastructure domains.

Acknowledgments

CAI was developed by Alias Robotics and co-funded by the European Innovation Council (EIC) as part of the accelerator project "RIS" (GA 101161136) - HORIZON-EIC-2023-ACCELERATOR-01 call.

Disclosure: Findings reported to manufacturer prior to publication.

Read the original paper ↗

Citation