Unitree Robotics, a China-based manufacturer, has been caught up in a major security scare. Two researchers uncovered that the company had pre-installed a backdoor in its popular Go1 robot dogs, allowing anyone to monitor users around the world.
Designed by Freepik
This discovery is rare—backdoors in widely sold consumer tech don’t come to light often—and it highlights concerns long raised by U.S. officials about the risks of Chinese-made devices enabling covert surveillance.
The issue has now been officially cataloged as a critical vulnerability under CVE-2025-2894. The Common Vulnerabilities and Exposures (CVE) listing recommends Go1 owners disable the “local endpoint” responsible for the backdoor.
How It Happened
The backdoor was tied to a public-facing web API, which allowed anyone who stumbled upon it to see the location of the Go1 robots. If the device was online, users could access live camera feeds without needing to log in.
If the robot’s default Raspberry Pi credentials weren’t changed, attackers could also gain full control of the robot.
This flaw was discovered by Andreas Makris and Kevin Finisterre, researchers with a history of exposing vulnerabilities in other tech (including DJI drones). The pair tested the flaw on each other’s Go1 robots to confirm its existence. They also found that robots at top U.S. universities, including MIT, Princeton, and Carnegie Mellon, might have been vulnerable at one point.
A National Security Concern
The discovery of this backdoor is raising alarm in Washington. Rep. John Moolenaar (R-Mich.), chair of the House China Select Committee, called it a “direct national security threat.” He added that the committee is investigating the risks this vulnerability poses to U.S. citizens.
“This isn’t merely a technology flaw — it’s an intentional and dangerous breach of our national security,” Moolenaar said. “American families, officers, and students have a right to know about any CCP access to their private environments.”
Unitree’s Response
In a statement, Unitree confirmed that its newer models, like the Go2 and humanoid robots, are unaffected by this issue. The company also explained that hackers had gained access to the management key of a third-party cloud service, which allowed them to modify user data with high-level permissions.
Unitree has since shut down the service enabling the Go1’s backdoor, but also noted that this type of installation is “common” among many robots on the market.
