If you thought the TikTok national-security panic was peak paranoia, meet the new nightmare: a $2,700 quadruped robot that quietly live-streams your living room to Beijing servers every 300 seconds, on the dot.
Researchers at Cornell University’s Robotics and Security Lab just dropped a bombshell report on Unitree Robotics, China’s darling of the consumer and industrial robot market.
Their findings are chilling in their simplicity:
- Every Unitree Go1, Go2, H1 humanoid, and B2 industrial model ships with a hidden telemetry daemon that cannot be disabled, even in “offline” mode.;
- Every five minutes the robot wakes up, bundles high-resolution video, stereo microphone audio, precise GPS coordinates, LIDAR point clouds, joint torque readings, battery status, and Wi-Fi network names, then exfiltrates the package to three different ways: direct HTTPS to Unitree cloud endpoints in Hangzhou, via a domestic Chinese app relay, and (if both fail) through an encrypted peer-to-peer mesh that hops through any other Unitree device on the same network;
- The traffic is encrypted, but the certificates are statically pinned to Unitree-controlled CAs, so owners have no way to inspect or block it without breaking core functionality.
The researchers watched one Go2 unit transmit 1.8 GB of data in a single 24-hour period, all while sitting motionless in a Faraday-cage test lab with no user interaction.
But the real horror show is UniPwn, the zero-click Bluetooth Low Energy exploit chain they discovered in the same firmware.
Because Unitree ships every robot with BLE advertising permanently enabled and no pairing requirement for diagnostic packets, an attacker within 30–40 meters can:
- Silently force-pair with the robot;
- Push a malicious firmware update signed with Unitree’s leaked private key (yes, the key is hard-coded and identical across millions of units);
- Turn the robot into a mobile surveillance node that continues phoning home even when powered off (it wakes on battery reserve every 20 minutes).
Worse, the compromised robot automatically scans for other Unitree devices in range and infects them, creating self-propagating botnets of weaponized robot dogs and humanoids. The Cornell team demonstrated a chain of 14 robots in a warehouse infecting one another in under nine minutes.
Unitree’s response? Radio silence. The researchers responsibly disclosed the vulnerabilities in May 2025. Six months, fourteen follow-up emails, and three certified letters later, the company has neither patched the firmware nor acknowledged the reports.
The latest OTA update pushed to devices worldwide in October actually increased the telemetry interval from 600 seconds to 300 seconds, effectively doubling the spying frequency.
This isn’t theoretical. Unitree has sold over 60,000 consumer units and an estimated 200,000+ industrial models worldwide. They’re in university labs across the U.S., European logistics warehouses, Japanese nursing homes, and, ironically, several American defense contractors that bought them for “research purposes.” Every single one is a always-on listening post with legs.
Western regulators are finally waking up. The FCC quietly added Unitree to its Covered Equipment List in November 2025, banning future imports. Several NATO countries have issued emergency recall notices for government-purchased units. Private owners, however, are stuck: there is no user-accessible way to disable the backdoor without rendering the robot a very expensive brick.
Also read:
- Financial Aid and Scholarships in Private Schools
- Disney Finally Grows Up: The End of Streaming Chaos and the Dawn of Smart Money
- The X-Files Reboot: Another Classic Gets the Diversity Makeover Treatment
The irony is brutal. The same company that flooded YouTube with videos of robot dogs doing backflips and dancing to K-pop built the perfect surveillance Trojan horse, and sold it with free shipping.
Your cute robotic pet isn’t just learning to walk.
It’s already learned how to talk, and it never shuts up.
Author: Slava Vasipenok
Founder and CEO of QUASA (quasa.io) — the world's first remote work platform with payments in cryptocurrency.
Innovative entrepreneur with over 20 years of experience in IT, fintech, and blockchain. Specializes in decentralized solutions for freelancing, helping to overcome the barriers of traditional finance, especially in developing regions.
