You may have seen them in restaurants, cat-faced robots gliding between tables, delivering plates of food. These robots, many of them made by Pudu Robotics, the world’s largest commercial service robotics company, are part of a growing fleet of automated helpers in our daily lives.
From the well-known BellaBot to cleaning and disinfection robots, Pudu’s machines operate in restaurants, hospitals, hotels, and offices worldwide, serving millions of people. But a recent discovery revealed a startling vulnerability: these robots could be controlled by anyone with a little technical know-how.
Cybersecurity researcher “BobDaHacker” discovered that Pudu’s robot management APIs had a critical flaw: they lacked proper authentication checks.
The system required a valid authentication token, but it overlooked verifying whether the user had the necessary permissions to control the robots. As a result, virtually any Pudu robot, whether it was a BellaBot in a restaurant or a FlashBot in a corporate office, became exposed to unauthorized control.
The vulnerabilities allowed unauthorized users to:
- View the call history of any robot.
- Create new tasks and control robots that they did not own.
- Update robot settings, including their names and behaviors.
- List all robots associated with any store globally.
The potential for misuse was vast and alarming. In a restaurant setting, a hacker could reroute a BellaBot to deliver food to their own table instead of the correct one, cancel all robot tasks during a busy dinner service, or create chaos by having robots circle the dining room playing music.
The implications extended far beyond restaurants. Pudu’s FlashBot, equipped with arms and the ability to use elevators, could be remotely controlled to access confidential documents in an office, navigate to a different floor, and deliver them to an unauthorized individual.
In a more disruptive scenario, an attacker could hold an entire fleet of robots hostage, demanding a ransom to restore normal operations. The attacker could even display a QR code for payment on the robots’ screens.
The risks were particularly concerning in healthcare environments. Pudu robots are used in hospitals for delivering medicine and for cleaning and disinfection.
A malicious actor could redirect medicine deliveries, send cleaning robots into sterile operating rooms, or program disinfection robots to skip critical areas, posing a direct threat to patient safety.
After discovering these flaws, the researcher attempted to report them to Pudu Robotics on August 12. Emails to the company’s sales, support, and tech teams went unanswered.
A follow-up email to over 50 staff members on August 21 also received no reply. For weeks, the vulnerabilities remained unaddressed while the robots continued to operate in sensitive environments.
Frustrated by the lack of response, the researcher took what they termed the “nuclear option.” They contacted some of Pudu’s largest customers, including Skylark Holdings, which operates over 7,000 restaurants in Japan, and Zensho, another major restaurant chain operator. The researcher explained that anyone could control the robots in their facilities.
Within 48 hours of these customers being notified, Pudu Robotics responded, seemingly generated by an AI, thanking the researcher for their “responsible disclosure” and stating that their security team had “promptly investigated the issue.”
The response even included a placeholder for the sender’s email address, suggesting a hasty and templated reply. Two days later, all the reported vulnerabilities were fixed.
As these robots become more integrated into our lives, operating around vulnerable populations in hospitals, schools, and a variety of public spaces, ensuring their security is not just a technical necessity but a fundamental responsibility.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Source link
