Hackers Exploit Robot Dogs & Farming Equipment: Undocumented Backdoor Raises Security Fears

The robotics industry is experiencing a seismic shift. From humanoid robots assembling iPhones with precision to navigating grueling marathons, the boundaries of what these machines can achieve are constantly being redefined.

The growing interconnectedness of our world and the increasing reliance on smart devices have opened up new avenues for cybercriminals. This isn't just a theoretical concern; it's a reality impacting everyday lives. Let’s explore how! 

How Are Robot Cyberattacks Impacting Real Lives?

Recently, Swiss farmer Vital Bircher’s cow-milking robot—a cornerstone of his farm's operation—was hacked. The hackers encrypted the data and demanded a ransom—one which the farmer didn’t pay.

The harrowing experience also came with a tragic outcome—one of his cows died. Bircher was also unable to retrieve information about which animals were pregnant and for how long, for which he shelled out an additional 2,000 francs ($2,303) for a veterinarian.

Unfortunate as it was, the devastating consequences highlight the very real dangers of neglecting robotic cybersecurity. 

Undocumented Remote Access

Adding to that, security researchers recently uncovered a disturbing example of this vulnerability: a hidden remote access tunnel pre-installed on the Unitree Go1 robot dog, a quadruped device that, upon connecting to the internet, opens a backdoor, allowing for potential external control.

Researchers Andreas Makris and Kevin Finisterre revealed that this quadruped robot, developed by China's Unitree Robotics, harbors a hidden tunnel service. This service, utilizing CloudSail, a remote access solution from Zhexi Technology, automatically pings unitree.com, establishing a connection if a specific variable is enabled.

In essence, this creates a backdoor, granting external access to the robot dog without the user's explicit knowledge or consent. 

Who Controls The Robots?

“Anybody with access to the API key can freely access all robot dogs on the tunnel network, remotely control them, use the vision cameras to see through their eyes or even hop on the RPI via ssh,” the researcher warned.

Think about that for a moment. Someone, somewhere, could be watching through your robot's "eyes," controlling its movements, or even gaining access to your local network.  

This isn't just a theoretical threat. The researchers found that nearly 2,000 devices had connected to this service at some point, with active clients providing direct access to web interfaces and live camera streams, often without login credentials.

The implications are staggering.

What if these robots are deployed in sensitive environments such as hospitals or research facilities? The potential for exploitation is immense. 

Security Flaws

Adding to the concern, the robots ship with default SSH credentials. If the user doesn’t change these, it’s a wide-open door for attackers to access the underlying Raspberry Pi, potentially leading to lateral movement within their network. 

This discovery raises a crucial question: Who should control access to these devices? As the researchers pointed out, “The decision to enable such functionality should always remain with the user, not the manufacturer."

They questioned, “Did Unitree want to include this for China only? Did they plan to roll out a remote-control service to the public but never follow through? If it was meant for China only, why do all robot dogs around the world automatically enroll in the tunnel service? Is it intentional or just sloppy? Is this unfinished tunnel payment page just an excuse in case someone notices that there is a tunnel client pre-installed on the dogs?"

The researchers strongly advised “everyone with such a robot to remove it from the network permanently, as well as examine all available logs to check if their network was breached.”

This isn't just about robot dogs; it's a broader warning about the security of the Internet of Things (IoT).

From robot dogs to milking robots, the vulnerabilities are real, and the consequences can be severe. The increasing reliance on connected devices demands greater transparency and security from manufacturers.

Would you trust a robot that could be controlled without your knowledge?

Let us know in the comments below.