A YouTuber, 29 Chickens, and US National Security

It all starts innocently enough. Ben Jordan, a tech YouTuber with a growing interest in cybersecurity, gets an offer from a Unitree robot distributor: a free device in exchange for a video. His idea is simple and even endearing. He has 29 chickens, predators roam the woods near his farm, and a robot dog seems like the perfect guardian. A futuristic farm sentry with a LiDAR sensor and an eight-core CPU. Great material for a YouTube video with plenty of views. What could go wrong?

Turns out, just about everything. The LiDAR sensor is mounted on the robot's head rather than in the center with a panoramic field of view, leaving everything behind it as a blind spot. In obstacle avoidance mode, the robot lurches backward at full force without knowing what's behind it. If that happens to be a child, an animal, or something fragile, the outcome won't be pleasant. The device isn't waterproof and can't handle fine dust. In short, it simply doesn't work as an autonomous outdoor guard.

But while trying to figure out what this expensive toy can actually do, Ben Jordan stumbles onto something far more interesting and dangerous.

Alarming Discoveries

The first thing any security researcher does with a new device is check how hard it is to break into. With the Unitree Go2, the answer is: laughably easy.

Ben Jordan doesn't even need to physically touch the robot. He connects to it via Bluetooth and, during Wi-Fi setup, injects a shell command into the password field. The robot executes it on reboot. That's it. Full root access, no authentication, no effort.

Later that year, researchers Andreas Makris and Kevin Finisterre, who had been working on Unitree security independently, publish a detailed analysis of the problem, cataloged as CVE-2025-2894. In September 2025, they reveal something even more alarming: the vulnerability is wormable. An infected robot can automatically scan for other Unitree devices within Bluetooth range and compromise them without human intervention. The affected models include the Go2, B2, G1, and H1. In theory, a single compromised robot in a warehouse or construction site could infect every other Unitree robot nearby.

With root access, Ben Jordan demonstrates what an attacker could do: record and livestream audio and video from the robot's cameras, install network tools to snoop on devices within Wi-Fi range, control the robot's movement, disable its safety mechanisms, and more. The cost of full control: zero dollars and five minutes of spare time.

Up to this point, the situation is dangerous but could simply be the product of sloppy engineering. An ordinary story of a lazy manufacturer cutting corners on security testing and experienced programmers' salaries. But Ben Jordan discovers something that shifts the narrative from "incompetence" to "grounds for investigation."

When he analyzes the robot's network traffic, he finds that the device sends encrypted data to Chinese servers. But the more interesting part is how it does it. The robot first probes its environment, and if it suspects it's being monitored, it doesn't establish the connection to China. When Ben Jordan tries to intercept the traffic through a Raspberry Pi configured as a monitoring router, the robot refuses to connect. The system apparently detects the non-standard router. Only when he places a regular consumer router between the robot and the monitoring Pi does he manage to see the full traffic: the robot establishes a tunnel connection to Chinese servers. That tunnel could potentially be used to transmit any data collected by the device, including audio, video, and intercepted network traffic.

Unitree claims the issue stems from a vulnerability in a third-party service rather than an intentional backdoor, and disabled the problematic connectivity in late March 2025. However, some security experts and politicians have called the discovery "a threat to national security." They may have a point.

Who Is Actually Buying These Robots?

This is where the story gets truly concerning. These devices, with their proven vulnerabilities and questionable network traffic, aren't sitting in hobbyists' garages. They're patrolling apartment complexes, construction sites, police departments, and have even been tested by the US military.

The Topeka, Kansas police department purchased its first Unitree robot (named Pepe) for $5,360, then added two more. The reasoning is straightforward: the cheapest Boston Dynamics Spot configuration costs $75,000.

Police in Pullman, Washington deployed a Unitree Go2 named MIKE for scanning hazardous buildings. A police department in Florida uses them for narcotics searches.

In Atlanta, a company called Undaunted has deployed dozens of robot dogs across apartment complexes, parking lots, and construction sites. There is an important nuance here, which Ben Jordan correctly points out in his video: Undaunted's robots don't operate autonomously. Each one has a live human operator behind it who decides when to react and whether to call the police. They don't use LiDAR for navigation and don't collect data automatically. This makes them significantly safer than fully autonomous alternatives, but it doesn't make them immune to the hardware vulnerabilities of the Unitree robot itself.

In September 2023, the US Marine Corps mounted an M72 LAW anti-tank rocket launcher on a Unitree Go1 and successfully test-fired it at Twentynine Palms, California. The Pentagon specifies this was a proof-of-concept, not operational deployment. The robot was "too light and too fragile" for actual combat. But the mere fact that the American military tested weapons on a Chinese platform with known vulnerabilities says something about the speed at which technology outpaces common sense.

That said, we shouldn't jump to conclusions. The military test may well have been aimed at understanding whether China could use these robots as automated weapons platforms, and measures may have been taken to prevent the devices from transmitting data. We'll likely never know more. The only publicly known government response is a Pentagon warning against using Unitree products in actual military operations.

How Serious Is the Problem?

Behind Unitree's specific technical issues lies a bigger question. We live in a moment where the tech market incentivizes rapid deployment and low prices, while security is expensive and slow. A police department choosing between a $5,000 robot and a $75,000 robot will pick the cheap one. A company managing an apartment complex at 40% occupancy will invest in whatever it can afford. And a manufacturer looking to capture a large share of the global market will optimize for volume and profit, not security.

The result is thousands of devices equipped with cameras, microphones, and network connectivity, scattered across universities, police stations, and residential complexes. Some of them actively communicate with servers their owners don't know about. Others can be hijacked remotely by anyone with a laptop and five minutes to spare. Not exactly reassuring, is it?

Andrey Hristov