Chinese Cybersecurity Expert Hacks Control System of Unitree's Humanoid Robot in One Minute

(Yicai) Dec. 17 -- Commercial robots have widespread and exploitable vulnerabilities that can allow hackers to take over within hours or even minutes, according to Chinese cybersecurity experts.Security in the robotics industry is "riddled with holes," said Xiao Xuangan, who works at Darknavy, an independent cybersecurity research and services firm based in Singapore and Shanghai. Xiao noted that when testing low-level security issues in quadruped robots, his team gained control of one of Deep Robotics’ Lite-series products in just an hour.Qu Shipei, another expert at Darknavy, showed Yicai how he could take control of one of Unitree Robotics’ humanoid machines. After about a minute the indicator light on the android's head turned from blue to red, it stopped responding to its controller, and then under Qu's command it rushed toward Yicai’s reporter swinging its fist.The hack has two stages, Xiao said. The hacker first takes control remotely, then they bypass the official remote controller to directly activate the robot’s motor and execution unit. Hackers can then make it perform aggressive and potentially harmful actions, Xiao pointed out.This is the core of security risks in robots, Xiao said. When network vulnerabilities are combined with real physical execution capabilities, the impact extends the data system, he said.Unitree Robotics set up a security department in the second half of this year, but Deep Robotics, EngineAI Robotics Technology, and others have yet to do so, Yicai found.The safety loopholes in some humanoid robots are clearly related to the industry’s development stage, noted Lin Yipei, a robotics engineer. For example, about 80 percent of Unitree's quadrupeds were used in scientific research, education, and consumer fields last year, but for the convenience of debugging and rapid iteration, they were often shipped with developer-oriented interfaces such as remote login and low-level control, Li said.“Those functions are usually turned off in mature mass-produced products, such as cars, to avoid exposure to potential attackers,” Li pointed out. If those functions are abused when robots enter the public domain, it may lead to non-users being able to take control, dramatically increasing safety risks, Li said.Researcher Xu Zikai said a person at his company received a foot injury from an out-of-control robot. He did not disclose the firm’s name. He referenced another case involving a quadruped robot that slammed into children at the World Robot Conference in Beijing in August.Robots are far from being "absolutely safe," Xu noted, adding that their safety should cover models, systems, hardware, and development, forming a multi-layered defense system, "otherwise attackers often follow the 'barrel principle' and break into the system from the weakest link.”The barrel principle states that the capacity or performance of a system is limited by its weakest component, just as a wooden barrel's water-holding capacity is determined by its shortest stave, not its longest.Editor: Martin Kadiev