Assessment
CFSE Consequence Paths assesses Unitree Go1 CloudSail undocumented remote-access backdoor (CVE-2025-2894) at EMERGENCY — the worst of 3 risk paths (safety, authority, perception). The dominant consequence is influence over a safety-relevant actuation.
Vulnerability
Unitree Go1 CloudSail undocumented remote-access backdoor (CVE-2025-2894). Reported attack vector: Network (outbound-initiated tunnel, bypasses NAT/firewall).
CFSE Consequence Paths analysis
The vulnerability is decomposed into one risk path per terminal consequence. Each path is scored on its exposure (reachability × execution complexity) and the authority, perception, and physical/safety it reaches, together with its scale of reuse, scale of execution, and recoverability.
DEVICE_CONTROL_SAFETY → EMERGENCY
CPATH:1.0-candidate/TT:DEVICE_CONTROL_SAFETY/RE:4/EC:3/EX:3/PH:4/DP:3/AT:3/CH:4/SR:4/SX:4/OR:4/EV:4/LS:MITIGATED
Exposure EX=3 (execution complexity-bound) · bands PH=CRITICAL · DP=HIGH · AT=CRITICAL → base CRITICAL · uplift fleet-reachable authority, recall-class recovery → assessed EMERGENCY.
- Same internet-reachable outbound tunnel position (RE:4) and key-gated but reproducible execution (EC:3). Authority is full remote device control: motion/locomotion commands plus SSH root to the onboard Raspberry Pi host (AT:3 device/host control — not a signing-root/OTA-root so not AT:4). PH:4 because remote motion control of an autonomously walking ~12kg quadruped creates credible dangerous-actuation/bystander injury risk, amplified by deployments cited at prisons/police/military. Crosses cloud-to-physical-actuation boundary (CH:4, boundary_crossing). Same shared-key reuse and fleet-scale remote actuation (SR:4, SX:4). Removal requires firmware/service change fleet-wide (OR:4, recovery_needs_fleet_action). Field-confirmed (EV:4).
- perception_feeds_action — false here because the actuation is direct operator command injection, not driven by a manipulated perception channel.
FLEET_CONTROL_PLANE → EMERGENCY
CPATH:1.0-candidate/TT:FLEET_CONTROL_PLANE/RE:4/EC:3/EX:3/PH:4/DP:3/AT:4/CH:4/SR:4/SX:4/OR:4/EV:4/LS:MITIGATED
Exposure EX=3 (execution complexity-bound) · bands PH=CRITICAL · DP=HIGH · AT=CRITICAL → base CRITICAL · uplift fleet-reachable authority, recall-class recovery → assessed EMERGENCY.
Robots auto-dial outbound to unitree.com CloudSail, bypassing NAT/firewall, so reachable from internet regardless of inbound filtering (RE:4). Execution is conceptually simple once the shared API key is held; the manufacturer inherently holds it and Makris/Finisterre demonstrated live control (EC:3 standard workflow, gated only by key possession). A single API key enumerates and controls EVERY registered robot (1,919 devices) — a hidden remote-control plane keyed on one shared trust anchor (AT:4, SR:4 shared key/backdoor, SX:4 fleet-scale remote/cloud). Crosses cloud/device/physical boundaries (CH:4, boundary_crossing). Recovery requires removing the hidden CloudSail functionality across the fleet plus egress filtering and firmware change (OR:4, recovery_needs_fleet_action). Field-confirmed via telemetry (EV:4). Not known exploited maliciously in the wild (active_exploitation:false). Liveness MITIGATED — service can be disabled and Go2+ changed architecture.
PERCEPTION_PRIVACY → CRITICAL
CPATH:1.0-candidate/TT:PERCEPTION_PRIVACY/RE:4/EC:3/EX:3/PH:4/DP:4/AT:3/CH:3/SR:4/SX:4/OR:4/EV:4/LS:MITIGATED
Exposure EX=3 (execution complexity-bound) · bands PH=CRITICAL · DP=CRITICAL · AT=CRITICAL → base CRITICAL · uplift fleet-reachable authority, recall-class recovery · caps privacy-only cap → assessed CRITICAL.
- Same internet-reachable tunnel (RE:4) and key-gated reproducible access (EC:3). Holder can view live camera feeds and sensor data — ‘see through their eyes’ — across the fleet (DP:4 live-camera/spatial perception state; AT:3 sensor/camera access via service authority). Raised as an espionage/national-security surveillance risk by US lawmakers given academic/corporate networks (MIT, Princeton, CMU, Waterloo) among 1,919 connected devices. PH:2 — surveillance itself is an information/privacy disruption, not direct actuation harm. Shared single key gives fleet-wide remote camera access (SR:4, SX:4). Crosses cloud/device/physical-observation boundary (CH:3, boundary_crossing). Recovery requires fleet-wide service/firmware removal (OR:4, recovery_needs_fleet_action). Field-confirmed (EV:4).
- perception_feeds_action — false: this path is passive exfiltration for surveillance, not a perception channel feeding the robot’s own action/navigation decisions.
Published baseline
- v3.1 6.6 MEDIUM —
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H — Takeonme CNA via NVD
The published baseline above is retained for source review. The registry records the reachable consequence path, including deployment-specific cyber-physical consequence, physical/safety impact, scale, and recovery burden.
Sources