Recent reports have raised concerns over cybersecurity of Go1 quadruped robot developed by Unitree. We reached out to Unitree Robotics and received a clarification regarding this issue.
Go1 Cybersecurity Statement from Unitree:
In response to recent claims by some bloggers that the Go1 robot by Unitree has installed a backdoor vulnerability, we have conducted an investigation and hereby announce the following:
- Conclusion: After inspection and reproduction, this issue has been identified as a cybersecurity vulnerability. Hackers illegally obtained the management key of the third-party cloud tunnel service used by Go1 and used it to modify data and programs within the user’s machine with high-level permissions, thereby gaining operational control and video stream access to the user’s machine, compromising customer privacy and security. This key is provided, stored, and authenticated by a third-party cloud service provider (Zexi Cloud). Any disclosure or compromise of the key is unrelated to security management of Unitree.
- Service Involved: The third-party cloud tunnel service used by Go1 (hereinafter referred to as the tunnel service).
- Purpose of the Service: It is used to enable users to remotely control and operate the Go1 robot. This function is a common feature among many robots on the market. It works by remotely sending user operation commands and having the machine transmit images back.
- Scope of Involvement: The Go1 series released in 2021 (which has been discontinued for about two years) and machines that are online on the public network (the robot dogs are not online by default unless the customer sets them to be online). The actual number of online machines is very small. Subsequent series such as Go2, B2, H1, and G1 have never used this solution and instead have adopted a more secure upgraded version, so they are not affected.
- Tunnel Service Launch Date: October 19, 2021.
- Third-Party Cloud Provider: Zexi Cloud, which has now been acquired by Shanghai Beirui.
- Difference Between Vulnerability and Backdoor: The main differences lie in concealment and intent.
- In terms of concealment, users can log into the device using the default username and password. In the Unitree directory, they can view all the files deployed by Unitree, including this third – party tunnel service. With such convenient access conditions, even novice computer users can complete this operation. Therefore, we did not deliberately hide the program files provided to customers. Regarding intent, the service is only used to demonstrate the remote-control function to customers. The risks in terms of stability and security have been noted in Article 2.5 of the Unitree Remote Communication Service Agreement at https://tunnel.unitree.com/. Moreover, the Go1 robot is completely offline by default, so we have no intention of automatically collecting user data.
- Unitree has always attached great importance to customer privacy. We will not obtain any user data without permission and will not deliberately leave backdoors. We highly value information security. For example, the servers currently used for overseas robot OTA upgrades are not located in mainland China.
- Solution: On March 24, 2025, we changed the management key of this tunnel service, and on March 29, 2025, we completely shut down this tunnel service. This issue will no longer affect the use of the Go1 series products.
