Unitree Go2 Firmware: Remote Code Execution through Android App

Summary

Firmware versions 1.1.7 to 1.1.11 have a security weakness that allows a hacker to execute malicious code on the robot. This can happen when a user installs a malicious program from the app's marketplace or when a hacker alters a program on the device. To fix this, update the firmware to a version that is not vulnerable.

What to do

No fix is available yet. Check with your software vendor for updates.

Affected software

Vendor	Product	Affected versions	Fix available
unitree	go2_firmware	> 1.1.7 , <= 1.1.11	–

Original title

Unitree Go2 firmware versions 1.1.7 through 1.1.11, when used with the Unitree Go2 Android application (com.unitree.doggo2), are vulnerable to remote code execution due to missing integrity protect...

Original description

Unitree Go2 firmware versions 1.1.7 through 1.1.11, when used with the Unitree Go2 Android application (com.unitree.doggo2), are vulnerable to remote code execution due to missing integrity protection and validation of user-created programmes. The Android application stores programs in a local SQLite database (unitree_go2.db, table dog_programme) and transmits the programme_text content, including the pyCode field, to the robot. The robot's actuator_manager.py executes the supplied Python as root without integrity verification or content validation. An attacker with local access to the Android device can tamper with the stored programme record to inject arbitrary Python that executes when the user triggers the program via a controller keybinding, and the malicious binding persists across reboots. Additionally, a malicious program shared through the application's community marketplace can result in arbitrary code execution on any robot that imports and runs it.

nvd CVSS3.1 9.6

nvd CVSS4.0 6.4

Vulnerability type

CWE-345