Unitree G1 Security Disaster

TL;DR

The transcript claims Unitree G1 robots have BLE always enabled on the main board, even though owners lack shell/root access to that board.

Briefing Cornell Notes

Briefing

Unitree’s G1 robot fleet is vulnerable to takeover through Bluetooth: hard-coded, identical BLE keys let anyone in close range inject commands via the Wi‑Fi credential update flow, granting root access on the robot’s main board. In a controlled setup with no Ethernet and no remote control connection, a proof-of-concept script repeatedly connected to the robot over BLE, submitted crafted “Wi‑Fi credentials,” and triggered command execution—demonstrated by a reboot and abnormal status behavior afterward. The core issue isn’t just that the robot can be reconfigured; it’s that the BLE channel is effectively a remote command channel because the injected payload runs with root privileges on the proprietary main-board computer.

The transcript frames this as “the holy grail” of security failures because it turns a local pairing mechanism into a universal exploit across the fleet. The main board is described as inaccessible to normal owners (no shell/root), yet BLE is “always on” while the robot is powered. The exploit chain hinges on two claims: (1) the BLE keys are hard-coded and identical across units, and (2) the Wi‑Fi credential update mechanism accepts injected terminal commands in the password field. Even if Unitree’s intended design was offline operation, the practical result is that a passerby—or anyone at a demo—could potentially brick robots, establish shell access, or disrupt operations without needing physical access to the main board.

Beyond code execution, the transcript also challenges Unitree’s assurances about telemetry. Unitree’s public response says robots are designed for offline use by default and that internet connectivity requires manual configuration and authorization, with limited data exchange focused on health status and robot information sent after authorization. The demonstrator counters by building a local Wi‑Fi access point and using the same BLE-based credential update technique to redirect the robot to that network, then monitoring traffic with packet capture tools. Once connected, the robot immediately begins network activity—querying services and exchanging data—suggesting outbound communication occurs as soon as credentials are set, not only after a clearly defined “authorized” internet mode.

Traffic-volume estimates in the transcript are used to compare against a separate paper’s telemetry claims. The demonstrator reports seeing far less throughput than the paper’s headline numbers, but still enough activity to indicate ongoing communication and repeated exchanges. The exact meaning of some endpoints (e.g., “robot state service” and other internal services) remains unclear in the transcript, but the presence of both inbound and outbound traffic is treated as evidence that the robot is “calling home” once Wi‑Fi credentials are injected.

Unitree’s response is characterized as addressing some vulnerabilities and promising over-the-air fixes, while emphasizing that data collection happens only after user authorization. The transcript argues that the BLE root-access issue is structural: unless the hard-coded fleet-wide keys and the command-injection behavior are fixed, the risk persists regardless of telemetry policy. The overall takeaway is a trust and safety problem for a widely used R&D platform—especially in public demonstrations—because close-range attackers can potentially disrupt or compromise robots without needing internet-wide access.

Cornell Notes

The transcript describes a close-range Bluetooth (BLE) vulnerability affecting Unitree G1 robots. Hard-coded, identical BLE keys across the fleet allow an attacker to connect and exploit the Wi‑Fi credential update process by injecting terminal commands into the password field. Because the injected commands execute with root privileges on the robot’s proprietary main board, the impact can include rebooting, obtaining shell access, or bricking robots. The transcript also disputes Unitree’s “offline by default” claim by redirecting the robot to a controlled Wi‑Fi access point and observing immediate network activity. While telemetry throughput estimates differ from a referenced paper, the demonstrator treats the presence of ongoing traffic as evidence that connectivity and data exchange can occur once credentials are set.

Why does Bluetooth access become a root-level takeover path on the G1?

The main board is proprietary and not meant to be accessible to owners (no shell/root). Yet its BLE interface is always on while powered. The transcript claims the BLE keys are hard-coded and identical across the fleet. That matters because the BLE connection is used to update Wi‑Fi credentials, and the exploit injects terminal commands through the Wi‑Fi credential fields—specifically the password field—so the payload runs as root on the main board.

How does the exploit work in practice, according to the transcript’s demonstration?

The demonstrator powers on a G1 with no Ethernet connected and turns off the remote. Using a proof-of-concept script (hack.py from a small repository), the attacker connects over BLE using the fleet BLE keys, then submits crafted Wi‑Fi credentials where the password field contains an injected command. A “reboot” flag is used first to show command execution without needing to prove deeper access. After the command, the robot reboots and shows abnormal status behavior (including a red blinking state).

What does the transcript claim about fleet-wide risk, and why it matters?

Because the BLE keys are described as hard-coded and identical across all Unitree robots in the fleet, the same exploit approach can target many devices. The transcript emphasizes that an attacker doesn’t need to know the exact unit beyond connecting successfully—scanning reveals the device and the keys confirm the target. That turns a single discovered flaw into a scalable threat for public demos and shared environments.

How does the transcript challenge Unitree’s “offline by default” and “manual authorization” claims?

Unitree’s response says robots are designed for offline use and that internet connectivity requires manual configuration and authorization. The demonstrator instead creates a local Wi‑Fi access point and uses the BLE credential update mechanism to point the robot to that network. Once connected, the robot begins network communication immediately (e.g., DNS/service queries and ongoing traffic), implying that setting Wi‑Fi credentials via BLE can trigger outbound behavior even without the demonstrator’s “authorization” steps.

What evidence is used to argue telemetry is happening, and how do the throughput numbers compare?

The transcript uses packet capture (tcpdump/pcap and later analysis) to observe active connections and data exchange with specific IPs/endpoints. It compares observed throughput estimates against a referenced paper’s telemetry-rate claims. The demonstrator reports seeing much lower throughput than the paper’s headline numbers (for example, orders of magnitude less than the cited “39 megabit per second” claim), but still enough activity to indicate ongoing communication and repeated exchanges.

What mitigation does the transcript suggest, and what does it say is the real fix?

The transcript suggests practical self-defense steps like disabling Bluetooth or removing access paths, but it also argues that the real fix must address the structural vulnerability: the hard-coded fleet-wide BLE keys and the command-injection behavior in the Wi‑Fi credential update flow. Without those changes, telemetry controls or partial fixes won’t eliminate the root-access takeover risk.

Review Questions

What two design choices (as described) turn a Wi‑Fi credential update feature into a root command-execution vulnerability?
How does redirecting a robot to a controlled Wi‑Fi access point help test claims about “offline by default” behavior?
Why does the transcript treat “hard-coded, identical BLE keys across the fleet” as a multiplier of risk compared with a per-device key model?

Key Points

1
The transcript claims Unitree G1 robots have BLE always enabled on the main board, even though owners lack shell/root access to that board.
2
Hard-coded, identical BLE keys across the fleet are presented as the enabling condition for a repeatable close-range attack.
3
Injecting terminal commands via the Wi‑Fi credential update flow—especially through the password field—is described as yielding root command execution on the main board.
4
A controlled demonstration is described as using no Ethernet and no remote connection, relying only on BLE to trigger a reboot and abnormal device behavior.
5
The transcript disputes Unitree’s “offline by default” and “manual authorization” framing by redirecting the robot to a local Wi‑Fi access point and observing immediate outbound traffic.
6
Observed network activity is treated as evidence of ongoing telemetry-like communication, though the demonstrator’s throughput estimates differ from a referenced paper’s headline numbers.
7
The transcript argues that partial fixes or telemetry-policy changes won’t address the core threat unless the BLE keying and injection path are corrected.

Highlights

Bluetooth BLE keys are described as hard-coded and identical across the Unitree fleet, making the same exploit approach broadly applicable.

Command injection is demonstrated by updating Wi‑Fi credentials over BLE and using the password field to trigger a root-executed reboot.

The transcript challenges “offline by default” by redirecting the robot to a controlled access point and observing immediate network activity.

Even when telemetry throughput estimates differ from a referenced paper, the presence of repeated inbound/outbound traffic is treated as meaningful security evidence.

Topics

Robot Security
Bluetooth BLE
Remote Code Execution
Telemetry
Wi‑Fi Credential Injection

Mentioned

Unitree
Unitree G1
Unitree H1
Unitree GOT
Unitree B2
Unitree R1
Unitree SDK
Wireshark
WireShark
tcpdump
MQTT
GitHub
X
BLE
AES
IP
DNS
MQTT
TCP
pcap
R&D
OTAA