An independent cybersecurity researcher known as BobDaHacker discovered security issues in Pudu Robotics (a leading global supplier of commercial service robots). The vulnerabilities allowed attackers to redirect the robots to any location and force them to execute arbitrary commands.
Pudu Robotics is a Chinese manufacturer of robots that perform a wide range of tasks: from serving food in restaurants with BellaBot to controlling human-designed systems (e.g., elevators) with FlashBot. According to Frost & Sullivan, last year the company held 23% of the market for such devices.
BobDaHacker discovered that he could access the robots’ control software because administrative access wasn’t locked down. For such an attack, an attacker needed a valid authorization token, which could be obtained via cross-site scripting or simply by creating a test account intended for testing the robots before purchase.
After the initial authentication, there were no additional security checks. This allowed anyone to modify orders, move the robots to new locations, and rename them to make post-attack recovery more difficult.
That is, an attacker could reroute ordered food to arbitrary locations or even disable the entire fleet of restaurant robots. The researcher also notes that attackers could force the FlashBot to damage office systems or steal intellectual property.
When the researcher tried to contact representatives of Pudu Robotics to report the issue, he received no response. On August 12, BobDaHacker sent the first emails, but the maintenance, support, and sales departments did not respond. After waiting until August 21, the specialist sent out new emails again, reaching out to more than 50 company employees in an attempt to get anyone’s attention.
Still getting no response, the researcher began contacting Pudu Robotics’ restaurant clients, and the Japanese restaurant chain Skylark Holdings, as well as the Zensho chain, took the warnings seriously.
About 48 hours after BobDaHacker got in touch with customers, representatives of Pudu Robotics finally replied to his email. The specialist wrote that the response was clearly generated by ChatGPT. “They didn’t even bother to remove the placeholder in the ChatGPT template. Just incredible effort,” the expert said.
The company thanked the specialist for discovering the vulnerabilities with the following message:
“Thank you for your valuable contribution to ensuring our security. If you would like to share additional details or have any questions, please don’t hesitate to contact me directly at [Your email address],” a company representative wrote.
Nevertheless, Pudu Robotics subsequently fixed the vulnerabilities identified by the researcher and secured its systems.
On September 3, BobDaHacker updated his post and reported that it turned out the company hadn’t been ignoring his messages. The first emails indeed didn’t reach the recipients, but later the report on the issues was received through other channels. After that, the developers began working on a fix, but the company only contacted the researcher once the fix was ready to be deployed.
Pudu Robotics representatives also apologized for the “[Your email address]” placeholder and reported that they have already created a dedicated address (security@pudutech.com) for reporting vulnerabilities and other security issues.