Hacking Embodied AI

What Happened

Security researchers have discovered that many commercially available robots, like robot dogs and humanoids, have serious security flaws. These vulnerabilities allow hackers to secretly take control of the robots, watch live camera feeds, and listen to audio without the owner knowing. Because these robots are increasingly used in factories, critical infrastructure, and the military, a hacked robot could cause physical damage or steal sensitive company secrets. Organizations buying these robots need to treat them like highly sensitive computers, ensuring they are strictly monitored and disconnected from critical networks if a threat is detected.

Key Takeaways

• Commercially available robots, such as Unitree models, possess critical vulnerabilities allowing remote hijacking, unauthorized surveillance, and lateral movement.
• Unitree G1 and Go1 models exhibit undocumented backdoors, hard-coded cryptographic keys, and exposed APIs that bypass authentication.
• Compromised robots continuously exfiltrate multimodal sensor data (audio, video, spatial) to external servers without operator knowledge.
• Vulnerabilities in Bluetooth and Wi-Fi provisioning interfaces allow attackers to wirelessly infect neighboring robots, creating physical botnets.
• Robots must be treated as high-risk cyber-physical endpoints requiring stringent procurement, network segmentation, and continuous monitoring.

Affected Systems

• Unitree robotics platforms (Go1, Go2, B2, G1, R1, H1 models)
• Embodied AI systems
• Humanoid and quadruped robots

Vulnerabilities (CVEs)

• CVE-2025-60017
• CVE-2025-35027
• CVE-2025-60250
• CVE-2025-60251
• CVE-2025-2894

Attack Chain

Attackers exploit undocumented backdoors or exposed web APIs in the robot's cloud services to gain initial access. Alternatively, attackers within radio range exploit vulnerabilities in the Bluetooth Low Energy or Wi-Fi provisioning interfaces, leveraging hard-coded keys and command injection to bypass authentication. Once compromised, the attacker gains root-level control, enabling physical manipulation of the robot and continuous exfiltration of audio, video, and spatial data to external servers. The compromise can spread laterally to nearby robots via wireless interfaces, forming a physical botnet.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No

The article does not provide specific detection rules, but highlights network telemetry indicators such as outbound connections to specific IPs and MQTT traffic on port 17883.

Detection Engineering Assessment

EDR Visibility: None — Robots run proprietary or embedded firmware that typically does not support standard enterprise EDR agents. Network Visibility: High — The primary indicators of compromise are network-based, including unauthorized outbound telemetry, MQTT traffic on specific ports, and connections to known suspicious IPs. Detection Difficulty: Moderate — While network traffic to specific IPs is easy to detect, distinguishing legitimate vendor telemetry from malicious exfiltration may be difficult without strict baseline profiling.

Required Log Sources

• Firewall logs
• DNS query logs
• Network flow logs
• Wireless intrusion detection system (WIDS) logs

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Look for continuous, high-volume outbound network traffic (e.g., streaming media) from IoT/robotics network segments to external or foreign IP addresses.	Network flow logs	Exfiltration	Medium
Identify unexpected MQTT traffic on non-standard ports (e.g., 17883) originating from cyber-physical systems.	Firewall logs	Command and Control	Low
Monitor for unauthorized Bluetooth or Wi-Fi provisioning attempts or anomalous device-to-device wireless communications within physical facilities.	WIDS logs	Lateral Movement	Medium

Control Gaps

• Lack of EDR support on embedded robotics platforms
• Inability to inspect encrypted or proprietary vendor telemetry
• Insufficient wireless network segmentation for cyber-physical devices

Key Behavioral Indicators

• Outbound connections to 43.175.228.18 and 43.175.229.18
• DNS resolutions for global-robot-mqtt.unitree.com
• MQTT traffic on port 17883
• WebRTC media streaming with disabled TLS certificate verification

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Block outbound network traffic to known suspicious IPs (43.175.228.18, 43.175.229.18) and domains (global-robot-mqtt.unitree.com).
• Isolate all embodied AI and robotics systems on dedicated, heavily restricted network segments.
• Change all default credentials on robotics platforms and disable unneeded cloud provisioning features.

Infrastructure Hardening

• Implement strict egress filtering for IoT/robotics VLANs, allowing only explicitly approved vendor endpoints.
• Deploy Wireless Intrusion Detection Systems (WIDS) to monitor for rogue Bluetooth or Wi-Fi exploitation attempts.
• Enforce TLS certificate verification for all internal and external media streaming services.

User Protection

• Establish physical security protocols to restrict unauthorized personnel from coming within Bluetooth/Wi-Fi range of critical robotics systems.
• Develop operational playbooks for the emergency physical shutdown and removal of compromised robots.

Security Awareness

• Educate procurement teams on the cyber-physical risks of embodied AI, emphasizing 'security by design' over unit cost.
• Brief executive leadership and the Board of Directors on the systemic risks of deploying unverified robotics in critical environments.

MITRE ATT&CK Mapping

• T1190 - Exploit Public-Facing Application
• T1078 - Valid Accounts
• T1563.002 - Remote Service Session Hijacking: Bluetooth
• T1125 - Video Capture
• T1123 - Audio Capture
• T1571 - Non-Standard Port

Additional IOCs

• Other:
  • 17883 - Non-standard port used for MQTT over-the-air coordination and telemetry.