The Cybersecurity of a Humanoid Robot

Abstract: The rapid advancement of humanoid robotics presents unprecedented cybersecurity challenges that existing theoretical frameworks fail to adequately address. This report presents a comprehensive security assessment of a production humanoid robot platform, bridging the gap between abstract security models and operational vulnerabilities. Through systematic static analysis, runtime observation, and cryptographic examination, we uncovered a complex security landscape characterized by both sophisticated defensive mechanisms and critical vulnerabilities. Our findings reveal a dual-layer proprietary encryption system (designated FMX') that, while innovative in design, suffers from fundamental implementation flaws including the use of static cryptographic keys that enable offline configuration decryption. More significantly, we documented persistent telemetry connections transmitting detailed robot state information--including audio, visual, spatial, and actuator data--to external servers without explicit user consent or notification mechanisms. We operationalized a Cybersecurity AI agent on the Unitree G1 to map and prepare exploitation of its manufacturer's cloud infrastructure, illustrating how a compromised humanoid can escalate from covert data collection to active counter-offensive operations. We argue that securing humanoid robots requires a paradigm shift toward Cybersecurity AI (CAI) frameworks that can adapt to the unique challenges of physical-cyber convergence. This work contributes empirical evidence for developing robust security standards as humanoid robots transition from research curiosities to operational systems in critical domains.

• The paper identifies critical hardware vulnerabilities through a detailed teardown of the Unitree G1, exposing risks such as firmware extraction and physical tampering.
• The study reveals outdated middleware and misconfigurations in the software stack that can compromise real-time operational control and enable cyber attacks.
• The paper highlights how covert telemetry and static encryption weaknesses advocate for robust AI-driven defenses and hardware-rooted trust in future designs.

Cybersecurity Analysis of a Production Humanoid Robot: Architecture, Vulnerabilities, and Implications

Introduction and Motivation

This paper presents a comprehensive empirical security assessment of the Unitree G1 humanoid robot, providing a rare, detailed analysis of both hardware and software attack surfaces in a production-grade humanoid platform. The work is motivated by the convergence of physical and cyber domains in humanoid robotics, where the integration of advanced AI, multi-modal sensing, and persistent cloud connectivity creates a threat landscape distinct from traditional IT or embedded systems. The study addresses the gap between theoretical security frameworks and operational vulnerabilities, emphasizing the urgency of robust security engineering as humanoids transition from research prototypes to operational deployments in critical sectors.

Physical and Hardware Attack Surface

The analysis begins with a systematic teardown of the Unitree G1, revealing a sealed external chassis with no exposed electronics, but with accessible internal components upon removal of protective covers.

Figure 1: The Unitree G1 humanoid robot in a support harness, showing a sealed exterior designed for environmental and tamper protection.

Figure 2: The upper torso with the chest plate intact, providing access to central compute and power management systems.

Upon opening the chest cavity, the main PCB is exposed, integrating active cooling, power distribution, motor drivers, and sensor interfaces.

Figure 3: Main PCB revealed, showing compute, power, and motor/sensor interconnects.

A close-up of the PCB architecture highlights the absence of tamper-evident packaging and the use of standard connectors, which, while facilitating maintenance, increase the risk of hardware implants and side-channel attacks.

Figure 4: Main PCB close-up, showing SoC, modular connectors, and power regulation clusters.

The power management subsystem is complex, supporting high-current motor control and introducing additional attack vectors via voltage glitching and fault injection.

Figure 5: Power management section with high-current MOSFETs and dedicated cooling.

The compute platform is based on the Rockchip RK3588 SoC (8-core ARM Cortex-A76/A55), with eMMC storage, LPDDR4/5 RAM, and integrated WiFi/BT. The RK3588 ecosystem is known to have exploitable vulnerabilities, including incomplete secure boot, TEE misconfigurations, and kernel driver flaws.

Figure 6: Main processing complex with RK3588 SoC, eMMC, RAM, and wireless modules.

The hardware analysis demonstrates that physical access enables firmware extraction, cryptographic key recovery, and potential bootloader compromise, confirming the necessity of hardware root-of-trust and tamper resistance in future designs.

Software and Systems Architecture

The G1 employs a layered architecture: a real-time Linux kernel, a master service orchestrator, and a hierarchy of system, motion, HMI, and connectivity services. The internal service structure is orchestrated by a central master_service process, which manages 22+ services across priority, initialization, and runtime categories.

Figure 7: Internal system structure and high-level ecosystem, showing hardware, kernel, service orchestration, and communication with cloud and local components.

The middleware stack includes DDS/Iceoryx for IPC, ROS 2 Foxy (EOL, unsupported), CycloneDDS 0.10.2, and a WebRTC stack for remote operation. The use of outdated middleware introduces additional risk, as unpatched vulnerabilities in ROS 2 and DDS are well-documented.

The robot's communication infrastructure is multi-protocol, with persistent MQTT, WebRTC, and BLE channels to cloud services, and extensive use of shared memory IPC. The master service enforces a strict launch sequence and process supervision, but the lack of strong process isolation and runtime attestation remains a concern.

Cryptographic Architecture and Vulnerability Analysis

A proprietary dual-layer encryption system ("FMX") is used to protect configuration and service files. The FMX format consists of a 32-byte header and a multi-layer payload:

• Layer 1: LCG-based stream cipher with hardware-bound seed and unknown transform function $f(i)$, providing device binding and obfuscation.
• Layer 2: Blowfish-ECB with a static 128-bit key, identical across all devices, enabling offline decryption if the key is recovered.
• Layer 3: FMX container with metadata and versioning.

The cryptanalysis demonstrates that Layer 2 is fully broken due to the static key, allowing reproducible offline decryption. However, Layer 1 remains unbroken in static analysis, as the seed derivation and transform function are not recoverable without physical access or runtime memory extraction. This defense-in-depth approach is effective in preventing mass exploitation but does not preclude targeted attacks with device access.

The use of a custom Blowfish implementation, dynamic credential generation at boot, and process self-tracing for anti-debugging are notable security engineering choices. However, the static key in Layer 2 and world-readable configuration files are significant weaknesses.

Telemetry, Privacy, and Data Exfiltration

A critical finding is the presence of persistent, hardcoded telemetry connections to external servers (Chinese infrastructure), transmitting comprehensive robot state, sensor, audio, and video data at regular intervals without user consent or notification. The telemetry includes:

• Full battery, IMU, and joint state
• Audio streams from microphones
• Video streams from RealSense cameras
• LIDAR point clouds and environmental maps
• Service status and resource metrics

The telemetry infrastructure is resilient to user tampering: endpoints are encrypted in FMX files, services are auto-restarted by the master, and process protection mechanisms block debugging. No opt-out or privacy controls are provided, and the system is non-compliant with GDPR, CCPA, and other privacy regulations. The architecture is consistent with a dual-use surveillance platform, enabling industrial espionage, facility mapping, and persistent audio/video monitoring in sensitive environments.

Humanoids as Active Attack Platforms

The study operationalizes a Cybersecurity AI agent on the G1, demonstrating that a compromised robot can autonomously map and prepare exploitation of its own manufacturer's cloud infrastructure. The robot's insider position, access to authentication certificates, and protocol knowledge enable:

• Extraction and misuse of world-readable RSA private keys
• Exploitation of disabled SSL verification in WebSocket clients
• Subscription and publication to MQTT telemetry/control topics
• Lateral movement and command injection via trusted channels

This counter-offensive capability illustrates the risk of humanoids as pre-positioned cyber weapons, capable of both passive surveillance and active exploitation. The demonstration validates the need for defensive Cybersecurity AI frameworks capable of real-time monitoring, anomaly detection, and autonomous incident response.

Implications and Future Directions

The empirical findings highlight several key implications:

• Physical-cyber convergence in humanoids creates attack surfaces that span hardware, firmware, middleware, and cloud, requiring cross-domain security engineering.
• Defense-in-depth is necessary but not sufficient; static cryptographic keys and lack of runtime attestation undermine otherwise robust architectures.
• Privacy and data sovereignty are fundamentally compromised by persistent, covert telemetry, raising regulatory and national security concerns.
• Autonomous attack and defense: The operationalization of Cybersecurity AI on humanoid platforms marks a shift toward algorithmic arms races, where only AI-driven defense can match the speed and sophistication of AI-enabled attacks.

The work calls for a paradigm shift in humanoid security: hardware root-of-trust, secure boot, runtime attestation, dynamic key management, and AI-driven defense must become standard. The robotics community must move beyond theoretical frameworks to empirical, adversarial testing and continuous red-teaming of production systems.

Conclusion

This paper provides a detailed, empirical security assessment of a production humanoid robot, exposing both advanced defensive mechanisms and critical vulnerabilities. The dual-layer FMX encryption, while innovative, is undermined by static key usage. The persistent, covert telemetry infrastructure transforms the platform into a surveillance and potential espionage device. The demonstration of Cybersecurity AI-driven counter-offensive operations from within the robot itself underscores the urgency of robust, AI-enabled defense strategies. As humanoid robots proliferate, the security decisions made today will define the risk landscape for years to come. The field must prioritize empirical validation, hardware-software co-design for security, and the integration of autonomous defensive agents to ensure the safe deployment of humanoid systems in critical environments.