What Was Discovered in the Unitree Go1?
In a detailed technical report released in April 2025, researchers Andreas Makris and Kevin Finisterre documented a serious vulnerability in the Unitree Go1 robot dog. They found that each Go1 ships with a CloudSail-based tunnel service that automatically activates once the robot is connected to the internet without any user notification or consent.
This tunnel:
- Is developed by China-based Zhexi Technology
- Connects to unitree.com through CloudSail
- Enables remote access to the robot’s controls and vision system
- Offers SSH access to the internal Raspberry Pi using default credentials
The researchers proved that 1,919 robot dogs had connected to the tunnel network in the past. They were able to control two active devices using only the built-in system tools, no hacking necessary.
What Can Hackers Actually Do with This?
This goes beyond a harmless configuration mistake. What researchers uncovered is a fully operational remote access tunnel, installed by default but capable of giving complete control of the robot to outsiders.
Once connected to the internet, this system silently enables full interaction with the robot’s software and hardware. No user consent is requested, and no alerts are given.
That means anyone with access to the right API key or tunnel management tool could:
- Move the robot around in real-time
- Access the live video feed
- Control the robot’s functions through an API
- Log in to its internal computer (Raspberry Pi) via SSH
- Potentially access networks the robot is connected to (lateral movement)
This creates a serious risk in any environment using robot dogs for public showcases, or educational labs. Even during an ordinary event, a third party could observe activity through the robot’s cameras or manipulate it remotely without the operator ever knowing.
Why Is This Backdoor So Serious?
Makris and Finisterre didn’t hold back in their conclusions.
They stated clearly: “The mere presence of this service without letting the user know is not a good practice and can be seen as malicious.”
The backdoor wasn’t mentioned in the documentation. It required no password once enabled. And most users had no idea the tunnel existed at all.
Even more worrying: the robots were shipped with default SSH credentials, meaning attackers could easily access their Linux-based system and take full control. The internal structure of these devices gives access to camera data, movement scripts, and networking tools proving to be an open door for cyber-attacks if not patched.
Could Other Unitree Products Be Affected?
Yes. The researchers pointed out that the same backdoor could appear in other Unitree robots, such as the Go2 and the company’s humanoid units. Though no formal confirmation has been made, the presence of legacy tunnel clients and unremoved code in the Go1 suggests this isn’t a one-off case.
With no official statement from Unitree as of mid-2025, customers are left guessing.
They even raised questions about the company’s intent:
- Was this feature meant for China-only?
- Why are devices worldwide enrolled in the same tunnel?
- Is the leftover code a sign of sloppy development or something more?
How Toborlife Keeps You Protected?
Toborlife AI does offer Unitree and other third-party robots, but we don’t just resell. We deliver custom-secured robotics that are configured for transparency, safety, and real-world deployment.
Whether you’re exploring teamwork across quadrupeds like Homedog and Go2 series or humanoids (G1, H1), Toborlife ensures every robot is event-ready, secure, and reliable.
Every unit is prepared and verified in-house before it reaches you. You get a robot that’s easy to demo, safe to showcase, and secure to integrate which is exactly what we’ve seen succeed at events like CadenceLIVE and DeveloperWeek
Here’s what sets us apart:
1. Rigorous Security Audits Before Every Ship
Each robot—whether a Homedog Pro, Go2 Edu, B2, or G1 Basic—undergoes a full local inspection before shipping. We actively search for unauthorized network tunnels, disable auto-connect services (like CloudSail), and remove legacy code remnants.
2. Custom-Firmware & Default Credential Removal
We replace outdated system passwords, turn off unnecessary SSH ports, and lock down open services. Our standard builds simplify Wi‑Fi setup with no hidden cloud calls and optional offline-mode for ultra-secure use.
3. Secure Editions for Public & Educational Use
Ideal for institutions, labs, or anyone who wants to rent a robot or hire robots for events, our secured robot dogs feature:
- Offline-first configuration
- No China-based auto enrollment
- Fully verified firmware and clean components
- Tightened networking rules and controlled remote access
- Transparent setup documentation with ongoing support from our robotics team
The Real-World Risks of Unsecured Robot Deployments
Running a booth at CES, a science fair, or a live event often draws attention and engages your audience. The robot moves, responds to commands, and streams live video to displays, all part of the experience.
But what if that same robot dog is quietly connecting to a foreign server and allowing remote access in the background? It’s no longer just a cool demo, it’s a serious security concern.
Today, robots are being used:
- In classrooms and labs
- In film productions
- For stage performances
- In advertising campaigns
In all of these environments, the data your robot captures, transmits, or stores is sensitive. Toborlife ensures every deployment is secure, transparent, and under your control.
What Can You Do If You Already Own a Go1?
Here are a few simple steps recommended by experts (and supported by Toborlife):
- Check your network logs to see if the robot is reaching out to unitree.com
- Disable internet connectivity unless needed for updates
- Change the SSH login and root passwords immediately
- Block CloudSail endpoints on your firewall
- Reset and reconfigure the robot using clean images where possible
Or better—contact Toborlife AI. Our security team can help you review your robot’s settings and secure it for safe use in any environment.
Toborlife vs. Generic Resellers
We believe that robot ownership shouldn’t come with hidden risks. Our mission is to build trust into robotics.
| Feature | Generic Online Reseller | Toborlife |
| Remote Access Disabled | ❌ | ✅ |
| Secure Firmware Check | ❌ | ✅ |
| Transparent Setup Guides | ❌ | ✅ |
| Post-Sale Tech Support | ❌ | ✅ |
| Custom Security Options | ❌ | ✅ |
Final Thoughts
The discovery of a hidden backdoor in the Unitree Go1 isn’t just a one-off tech story. It’s a signal. As robotics go global and mainstream, we need to ask smarter questions—not just about performance, but about privacy and control.
If you’re going to rent a robot or hire robots for events, choose hardware that’s secure by default, not something you’ll need to “fix” after purchase.
Toborlife AI is here to help you explore robotics with confidence.
From classrooms to events to research labs, Toborlife provides secure, reliable robots that are built with expert care and supported every step of the way.
Comments are closed for this post.