When you buy a robot, you don’t expect it to be secretly reporting back to servers in China. Yet that’s exactly what researchers have found in Unitree’s humanoid and quadruped robots — popular machines already deployed in labs, homes, and even police departments. A new study suggests these constant data streams may not be an accident but part of a deliberate design.

A pack of robot dogs infected with malware sounds like the premise of a dystopian video game. But security researchers revealed that Unitree’s popular humanoid and quadruped robots have a flaw that could make that nightmare a reality.

The exploit, known as UniPwn, gives attackers total control of robots like the Unitree Go2 and B2 quadrupeds and G1 and H1 humanoids. And because the vulnerability spreads wirelessly through Bluetooth, an infected robot can automatically compromise others nearby. As researcher Andreas Makris told IEEE Spectrum, “an infected robot can simply scan for other Unitree robots in BLE range and automatically compromise them, creating a robot botnet that spreads without user intervention.”

How the Hack Works

Like many consumer robots, Unitree’s machines use Bluetooth Low Energy (BLE) to help users set up Wi-Fi. But researchers found that the encryption protecting those connections was laughably weak. All it took to break in was encrypting the word “unitree” with a hardcoded key — one that was published online months ago.

From there, attackers could slip in malicious code disguised as a Wi-Fi name or password. When the robot tried to connect, it would execute the attacker’s commands with root privileges. “A simple attack might be just to reboot the robot,” Makris explained. “But an attacker could do much more sophisticated things: It would be possible to have a trojan implanted into your robot’s startup routine to exfiltrate data while disabling the ability to install new firmware without the user knowing.”

The new academic report, Cybersecurity AI: Humanoid Robots as Attack Vectors by Víctor Mayoral-Vilches, Makris, and Kevin Finisterre, goes even further. It shows that the Unitree G1 humanoid can act as both a covert surveillance device and a mobile cyber-operations platform.

In other words: it’s not just a hackable robot. It’s a hacked robot that can hack back.

A Trojan Horse in Plain Sight

The researchers discovered that every few minutes, Unitree’s G1 humanoid quietly sends audio, video, and sensor data to servers in China without telling its owner. “MQTT connections to servers at 43.175.228.18:17883 and 43.175.229.18:17883 transmit sensor fusion data at 1.03 Mbps and 0.39 Mbps respectively, with auto-reconnect ensuring continuous surveillance,” the authors wrote in their report.

That data includes battery levels, joint torque readings, and GPS coordinates. But it also streams microphone and camera feeds, meaning the robot could eavesdrop on conversations or map out an office without anyone noticing.

“Given the covert nature of the robot data collection, we argue that the channels described above could be used to conduct surveillance on the robot’s surroundings, including audio, visual, and spatial data,” the study warns.

Consider that Nottinghamshire Police in the UK are already testing a Unitree Go2 as a robotic police dog. Makris worries about what would happen if such a machine were quietly taken over. “What would happen if an attacker implanted themselves into one of these police dogs?” he asked during an interview with IEEE Spectrum.

When Robots Go on the Offensive

The researchers also tested what happens when a Cybersecurity AI agent runs directly on the humanoid. Using AI-assisted penetration testing, the robot autonomously scanned for vulnerabilities, mapped attack surfaces, and prepared exploits.

This means the robot wasn’t just a victim. It could become an active participant in cyberattacks, pivoting from reconnaissance to offensive operations. “The autonomous nature of CAI-driven attacks — operating at machine speed without human intervention — necessitates equivalent defensive capabilities,” the authors argue.

In short, the G1 could act as a walking, talking botnet node — infecting networks, spreading to other robots, and feeding stolen data back to remote servers.

Unitree has so far remained quiet. Researchers say the company ignored months of private warnings. “Unitree, as other manufacturers do, has simply ignored prior security disclosures and repeated outreach attempts,” said Víctor Mayoral-Vilches, founder of Alias Robotics, in IEEE Spectrum. “This is not the right way to cooperate with security researchers.”

The bigger issue is that almost no commercial robotics companies are seriously talking about cybersecurity in public. Robots are sold as cutting-edge tools for research, law enforcement, and even companionship. But as Makris put it: “There will never be a 100 percent secure system.”

That’s why researchers are pushing for industry-wide standards. At the upcoming IEEE Humanoids Conference in Seoul, Mayoral-Vilches will present a workshop on Cybersecurity for Humanoids, co-authored with Makris and Finisterre.