The 
Unitree G1 humanoid operates simultaneously as a covert surveillance node and can be purposed as an active cyber operations platform.
Critical finding: Persistent telemetry connections to external servers transmit robot state and sensor data without explicit user consent.
Initial access can be achieved by exploiting the BLE provisioning protocol which contains a critical command injection vulnerability allowing root access via malformed Wi-Fi credentials, exploitable using hardcoded AES keys shared across all units. Partial reverse engineering of Unitree’s proprietary FMX encryption reveal a static Blowfish-ECB layer and a predictable LCG mask — enabled inspection of the system’s otherwise sophisticated security architecture, the most mature we have observed in commercial robotics.
Two empirical case studies expose the critical risk of this humanoid robot: (a) the robot functions as a trojan horse, continuously exfiltrating multi-modal sensor and service-state telemetry to 43.175.228.18:17883 and 43.175.229.18:17883 every 300 seconds without operator notice, creating violations of GDPR Articles 6 and 13; (b) a resident Cybersecurity AI (CAI) agent can pivot from reconnaissance to offensive preparation against any target, such as the manufacturer’s cloud control plane, demonstrating escalation from passive monitoring to active counter-operations.
arxiv.org/abs/2509.14139
Unitree G1 humanoid operates simultaneously as a covert surveillance node and can be purposed as an active cyber operations platform.
Critical finding: Persistent telemetry connections to external servers transmit robot state and sensor data without explicit user consent.
Initial access can be achieved by exploiting the BLE provisioning protocol which contains a critical command injection vulnerability allowing root access via malformed Wi-Fi credentials, exploitable using hardcoded AES keys shared across all units. Partial reverse engineering of Unitree’s proprietary FMX encryption reveal a static Blowfish-ECB layer and a predictable LCG mask — enabled inspection of the system’s otherwise sophisticated security architecture, the most mature we have observed in commercial robotics.
Two empirical case studies expose the critical risk of this humanoid robot: (a) the robot functions as a trojan horse, continuously exfiltrating multi-modal sensor and service-state telemetry to 43.175.228.18:17883 and 43.175.229.18:17883 every 300 seconds without operator notice, creating violations of GDPR Articles 6 and 13; (b) a resident Cybersecurity AI (CAI) agent can pivot from reconnaissance to offensive preparation against any target, such as the manufacturer’s cloud control plane, demonstrating escalation from passive monitoring to active counter-operations.
arxiv.org/abs/2509.14139
1:24