Unitree Products Firmware Update Manipulation Vulnerability

A vulnerability exists in Unitree robotics products, including the Go2 model, due to a flaw in the firmware update encryption process. The encryption algorithm, TEA, is compromised by hard-coded key material available to attackers, allowing unauthorized users to alter firmware updates. This issue affects all current Unitree offerings as of February 26, 2026, and represents a vulnerability in both firmware generation and extraction processes. At present, there is no documented method to covertly inject modified firmware into the update process.

Impact

Exploitation of this vulnerability allows for unauthorized modification of firmware updates, which can be uploaded to and trusted by Unitree robots. This could lead to overwriting the device's operating system, potentially causing permanent damage or creating a persistent backdoor. Such an attack could be particularly damaging if combined with a separate vulnerability that allows direct manipulation of the firmware update process.

Reproduction

The vulnerability can be reproduced by decrypting existing UPK firmware files using the released Python tool 'UniTEABag', available on GitHub. After decryption, the extracted firmware can be modified and re-encrypted using the same tool, creating a new UPK file that appears legitimate to the robot. This crafted firmware package can then be uploaded to the Unitree device, replacing the original firmware.