A startling vulnerability in Pudu Robotics’ management APIs that allowed anyone with minimal technical skill to seize control of the company’s food delivery and service robots.
The vulnerability, which went unaddressed for weeks despite repeated responsible‐disclosure attempts, could have enabled malicious actors to redirect BellaBots and other Pudu models to deliver meals to unintended recipients, disrupt service in restaurants, and even compromise sensitive operations in hospitals and offices.
Pudu Robotics, the world’s largest commercial service-robotics manufacturer, supplies restaurants, hotels, hospitals, offices, and retail stores with a suite of products that includes:
- BellaBot, KettyBot, and PuduBot delivery robots.
- CC1 and PUDU SH1 cleaning robots.
- Disinfection robots with UV and chemical sprayers.
- Elevator-capable building-delivery robots with mechanical arms.
BobDaHacker’s investigation revealed that almost every API endpoint for Pudu’s robot-management platform lacked sufficient authentication checks.
While the system required valid tokens, it failed to verify user permissions or robot ownership. Attackers could:
- View any robot’s call history and accept up to 20,000 store IDs in a single, unthrottled request.
- Initiate, cancel, or reroute tasks on any robot anywhere in the world.
- Modify robot settings, including nicknames, configurations, and behavior patterns.
- Enumerate Pudu’s global store deployments and list all robots by store ID.
In a restaurant scenario, an attacker could have redirected a BellaBot carrying another diner’s meal to their own table, canceled all delivery requests during peak hours, or programmed robots to loop endlessly while playing music.
In office buildings, the FlashBot—a robot equipped with mechanical arms and elevator access—could have been commandeered to retrieve confidential documents from secured floors and deposit them at an exit.
In healthcare settings, malicious actors could have interfered with medicine delivery, sent cleaning robots into operating rooms, or bypassed critical disinfection tasks entirely.
BobDaHacker reported the vulnerabilities to Pudu’s sales, support, and technical teams beginning on August 12.
After receiving no response, he escalated the issue by emailing more than fifty company staff on August 21.
Weeks passed in silence as Pudu’s robots continued operating in vulnerable environments worldwide. On August 28, he contacted major customers—including Skylark Holdings, which manages over 7,000 restaurants in Japan, and Zensho, a leading chain operator—alerting them that their fleets were exposed to takeover.
Within forty-eight hours of this final escalation, Pudu’s security team miraculously “discovered” the reports and issued a templated acknowledgment thanking BobDaHacker for “responsible disclosure,” complete with a placeholder “[Your Email Address]” still intact.
Two days later, Pudu confirmed the vulnerabilities had been patched.
The incident highlights alarming lapses in security and corporate responsiveness. While Pudu boasts “ongoing commitment to security” on its website, it lacked even basic measures: no dedicated security contact, no authenticated API controls, and no timely handling of vulnerability reports.
Action only followed after the threat of reputational and financial damage when key clients were alerted.
The safety implications extend far beyond restaurant chaos. Hospitals that rely on Pudu robots for medicine delivery risked delayed or misdirected treatments.
Hotels and schools using these devices for room service or cafeteria logistics could have experienced service shutdowns and safety hazards.
In an era where automation plays an increasing role in critical operations, the Pudu breach underscores that robust security must match technological innovation.
Pudu Robotics now faces a reckoning: customers and regulators will demand stronger safeguards, transparent reporting channels, and swift remediation processes.
The company’s delayed response and reliance on automated, impersonal templates served only to erode trust.
As commercial service robots proliferate across sensitive environments, manufacturers must prioritize security from design through deployment. Otherwise, hungry diners may be the least of their customers’ worries.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
