Image by UnitreeRobotics, from Unsplash
Bluetooth Flaw Lets Hackers Take Over Unitree Humanoid Robots
Reading time: 2 min
Last Updated: Oct 2, 2025
-
![Kiara Fabbri]()
-
![Sarah Frazier]()
Fact-Checked by Sarah Frazier Content Manager
Security researchers disclosed on 20 September a critical vulnerability in the Bluetooth Low Energy (BLE) Wi-Fi setup used by several Unitree robots.
In a rush? Here are the quick facts:
- Critical BLE flaw affects Unitree Go2, B2, G1, and H1 robots.
- Exploit allows root-level takeover and can spread between robots wirelessly.
- Hardcoded encryption keys let attackers inject malicious code via Wi-Fi setup.
The flaw affects Go2 and B2 quadrupeds, as well as G1 and H1 humanoids, and could allow attackers to take full control of the devices. The wireless nature of the exploit makes it “wormable,” because a single compromised robot can automatically spread the infection to nearby robots which would create a robot botnet, as explained by Spectrum who first reported the news.
The exploit, named UniPwn, was discovered by Andreas Makris and Kevin Finisterre. “A simple attack might be just to reboot the robot, which we published as a proof of concept,” Makris explains, as reported by Spectrum.
“But an attacker could do much more sophisticated things: It would be possible to have a trojan implanted into your robot’s startup routine to exfiltrate data while disabling the ability to install new firmware without the user knowing. And as the vulnerability uses BLE, the robots can easily infect each other, and from there the attacker might have access to an army of robots,” Makris added.
UniPwn takes advantage of hardcoded encryption keys in BLE packets. The encryption of “unitree” with these keys allows attackers to run any code they want. Makris and Finisterre first reported the issue to Unitree in May, but after limited response, they went public. “We have had some bad experiences communicating with them,” Makris said, as reported by Spectrum.
Unitree responded on LinkedIn, stating: “We immediately began addressing these concerns and have now completed the majority of the fixes. These updates will be rolled out to you in the near future.”
Spectrum reports that cybersecurity expert Víctor Mayoral-Vilches added: “Unitree, as other manufacturers do, has simply ignored prior security disclosures and repeated outreach attempts […] Robots are only safe if secure.”
The researchers advise users to connect to protected Wi-Fi networks while disabling Bluetooth until permanent security solutions become available from developers..The vulnerability highlights broader risks in commercial robotics, where high-profile hacks could have serious physical and reputational consequences.
Previous Story
Latest articles 
