Security Flaws Found in Yushu Technology Robots, Raising Control concerns
A significant security vulnerability has been discovered in several robots manufactured by Yushu Technology, possibly allowing attackers to gain full control of the devices. The issue, reported by IEEE Spectrum on September 25th, centers around a flaw in the Bluetooth Low-Energy (BLE) Wi-Fi configuration interface used by the robots. Security personnel initially alerted the company to the vulnerability on september 20th.
The affected models include the Yushu Go2 and B2 quadruped robots, and also the G1 and H1 humanoid robots. Researchers characterize the vulnerability as “wormable,” meaning it can self-propagate wirelessly.This allows an infected robot to automatically compromise other Yushu robots within BLE range, creating a potentially widespread “robot botnet” without any user interaction – a first-of-its-kind vulnerability disclosed on a commercial humanoid robot platform.
the vulnerability stems from a weak authentication process. While the robots verify BLE packet content, they reportedly allow login simply by encrypting the string “unitree” (Yushu’s English name) with a pre-defined, hardcoded key.
Security researcher Andreas makris explained that while a simple attack could merely restart a robot, more complex attackers could implant malware or steal data. The BLE transmission method makes the robots susceptible to rapid “infection” across a network.
Researchers first contacted Yushu Technology in May to report the vulnerability. After repeated attempts to communicate and a lack of response from Yushu in July, they decided to publicly disclose the flaw. Makris expressed frustration with the communication process and noted a previous discovery of a backdoor vulnerability in the Yushu Go1 model, raising questions about whether the vulnerabilities are intentional or the result of careless development.
As of the report’s publication, Yushu Technology had not responded to requests for comment from IEEE Spectrum.
Victor Mayoral-Vilches, founder of robotic cybersecurity company Alias Robotics, criticized Yushu’s response, stating the company “ignores previous security exposures and multiple attempts to contact.” He also previously identified undisclosed telemetry data from yushu robots being transmitted to servers in china, potentially including sensitive information like audio, images, and spatial data.
Mayoral-Vilches highlighted the accessibility and affordability of Yushu robots as a reason for the increased scrutiny from security researchers, emphasizing that users worldwide may be unaware of the potential risks.
A particular concern was raised regarding the Nottingham police in the UK,who are currently testing the vulnerable Go2 model. Researchers attempted to proactively inform the police department of the vulnerability before public disclosure, but their efforts were reportedly ignored, prompting concerns about potential misuse by attackers.
In the short term, researchers recommend users connect their yushu robots to isolated Wi-Fi networks and disable Bluetooth connectivity. However, both Mayoral-Vilches and Makris agree that Yushu Technology must prioritize long-term security and actively engage with security researchers and users to address the underlying issues.
Makris cautioned that achieving 100% security is unrealistic, but proactive measures are crucial to mitigate the risks.
