Security Flaws in Chinese Restaurant Robots Exposed by Ethical Hacker
A recent investigation has uncovered significant cybersecurity vulnerabilities in the control systems of commercial robots used extensively in the restaurant industry. These robots, produced by a leading Chinese manufacturer, were found to be susceptible to unauthorized access, allowing potential attackers to manipulate their operations remotely.
Overview of Pudu Robotics and Its Market Presence
Pudu Robotics, a prominent Chinese company, has deployed over 100,000 robotic units across more than 1,000 cities worldwide. Their product lineup includes the BellaBot, a cat-inspired robot designed to serve food, and the FlashBot, equipped with mechanical arms capable of operating elevators and performing complex tasks. According to recent market analysis by Frost & Sullivan, Pudu Robotics commanded approximately 23% of the global commercial robot market last year, underscoring its significant influence in the sector.
Discovery of Critical Security Vulnerabilities
Bobdahacker, a white-hat cybersecurity expert known for previously revealing a McDonald’s free-food exploit, turned her attention to Pudu Robotics’ systems. She identified that the administrative controls for these robots lacked robust security measures. Specifically, the control software did not enforce stringent access restrictions, making it possible for attackers to gain control through methods such as cross-site scripting (XSS) attacks or by creating fraudulent accounts to test the system before purchasing a robot.
Potential Risks and Exploits
With unauthorized access, malicious actors could reroute food deliveries, disrupt entire fleets of restaurant robots via distributed denial-of-service (DDoS) attacks, or even use robots like FlashBot to infiltrate office environments and exfiltrate sensitive data. The absence of secondary authentication checks after initial login meant that attackers could reset orders, relocate robots arbitrarily, and rename devices, complicating recovery efforts.
Challenges in Reporting and Response
Despite promptly notifying Pudu Robotics on August 12, Bobdahacker encountered significant resistance. The company’s technical, support, and sales teams initially ignored her warnings. It was only after she reached out to Pudu’s clients, including Skylark Holdings in Japan-which operates over 7,000 restaurants-and the international food chain Zensho, that the issue gained traction.
Within two days of these customers being informed, Pudu finally responded with a message that appeared to be generated by an AI language model, containing placeholders like “[Your Email Address]” that were not properly edited. This response acknowledged the vulnerability and thanked the researcher for her responsible disclosure, but the lack of personalized communication highlighted a concerning lack of urgency.
Resolution and Industry Implications
Following the exposure, Pudu Robotics has since secured its systems to close the identified security gaps. This incident highlights the critical importance of cybersecurity in the rapidly expanding field of service robotics, especially as these machines become integral to daily operations in hospitality and other industries.
Moreover, the case demonstrates that engaging end-users and customers can be an effective strategy to prompt manufacturers to address security flaws swiftly. As robotic automation continues to grow-with the global market expected to surpass $75 billion by 2025-ensuring robust security protocols is essential to prevent exploitation and maintain trust.
