Security researchers have uncovered a critical flaw in Unitree robots that grants attackers root access and enables covert data exfiltration every few minutes. Dubbed UniPwn, the exploit affects humanoid and quadruped models alike, underscoring how physically capable robots can become powerful cyber weapons and surveillance nodes when security lags behind hardware progress.
Disclosed on 20 September 2025 by Andreas Makris and Kevin Finnisterre, UniPwn targets the Bluetooth Low Energy provisioning interface used for Wi-Fi setup. The system relies on hardcoded encryption keys and accepts malformed Wi-Fi credentials, allowing attackers to inject shell commands with root privileges. This enables remote software installation, firmware modification, and backdoor creation without physical access.
The exploit is wormable, meaning a single infected robot can automatically scan and compromise nearby Unitree devices. Proof-of-concept code, payloads, and analyses have already been released, with CVE records added to the U.S. NVD database, confirming multiple affected models.
Investigations revealed that Unitree’s G1 humanoid secretly transmits audio, video, and sensor telemetry, including GPS, actuator states, and battery levels, to servers in China at five-minute intervals. This hidden exfiltration threatens privacy, corporate secrecy, and even national security in sensitive settings such as labs, hospitals, and factories.
Humanoid platforms like the G1 and H1 combine sensors, mobility, and cloud connectivity, multiplying the risks of compromise:
Unitree has acknowledged the flaw, promising patches while advising users to disable Bluetooth, isolate networks, and apply updates. Security teams recommend further safeguards: enforce VLAN segregation, monitor traffic, require firmware signing, and run red-team exercises.
Experts expect UniPwn to accelerate calls for robotic security standards covering secure boot, telemetry transparency, and vulnerability disclosure. Military, academic, and industrial adopters will now weigh proven cybersecurity practices before procurement.