Shipei Qu
Shipei Qu (@itewqq) is a security researcher at DARKNAVY focusing on embedded systems, reverse engineering, side-channel attacks, and cryptography. He earned his Ph.D. from Shanghai Jiao Tong University in 2025 and was previously a member of the 0ops CTF team. His research has been featured at academic conferences including CHES and DAC, and he has identified zero-day vulnerabilities in targets spanning consumer IoT devices to the Linux kernel.
Beitrag
We present a comprehensive security assessment of Unitree's robotic ecosystem. We identified and exploited multiple security flaws across multiple communication channels, including Bluetooth, LoRa radio, WebRTC, and cloud management services. Besides pwning multiple traditional binary or web vulnerabilities, we also exploit the embodied AI agent in the robots, performing prompt injection and achieve root-level remote code execution. Furthermore, we leverage a flaw in cloud management services to take over any Unitree G1 robot connected to the Internet. By deobfuscating and patching the customized, VM-based obfuscated binaries, we successfully unlocked forbidden robotic movements restricted by the vendor firmware on consumer models such as the G1 AIR. We hope our findings could offer a roadmap for manufacturers to strengthen robotic designs, while arming researchers and consumers with critical knowledge to assess security in next-generation robotic systems.