Unitree Go2 Missing Integrity Protection in User-Created Programs Leading to Remote Code Execution

A remote code execution vulnerability exists in the Unitree Go2 firmware versions 1.1.7 through 1.1.11, when paired with the Unitree Go2 Android application. This vulnerability arises from inadequate integrity protection and validation of user-generated programs. The application saves these programs in a local SQLite database and sends the program text, including a Python code field, to the robot. The robot executes this Python code as root, without any integrity checks or content validation. An attacker with local access to the Android device can modify the program record to inject arbitrary Python code, which executes when the program is activated via a controller keybinding. This malicious binding remains active after rebooting the device. Furthermore, a harmful program shared through the application's community marketplace can execute arbitrary code on any robot that imports and runs it.

Impact

Exploitation of this vulnerability allows for unauthorized remote code execution on the Unitree Go2 robot, with the executed code running as the root user.

Reproduction

To reproduce this vulnerability, first upload a program through the Unitree Go2 Android application. Intercept the request to modify the program's name and code, replacing it with a malicious payload. Once the program is uploaded, it can be assigned to a controller keybinding. When the keybinding is activated, the injected code will be executed on the robot.

Remediation

Unitree has developed a patch for this vulnerability, which is reportedly in the process of being deployed. However, the vulnerability in the EDU version of Go2 will likely remain unpatched.