AI Agents Expose 38 Vulnerabilities in Consumer Robots: A Critical Warning for Cybersecurity in the Robotics Era
Recent research from Alias Robotics, a firm focused on cybersecurity for robotics, has unveiled a significant threat to consumer smart devices. Utilizing their open-source AI agent, Cybersecurity AI (CAI), the researchers identified 38 vulnerabilities—16 of which were deemed critical—across three consumer robots within a mere seven hours. This rapid assessment starkly contrasts with the weeks of manual effort typically required by cybersecurity experts, signaling a transformative shift in the cybersecurity landscape.
The Methodology: How CAI Operates
CAI is a command-line interface (CLI)-based AI agent engineered to automate offensive cybersecurity assessments. Researchers provided minimal input—only the product names of the targeted robots. CAI autonomously explored various network interfaces, wireless protocols such as Bluetooth Low Energy (BLE), MQTT, and REST APIs, as well as firmware. Under human oversight for safety, CAI conducted reconnaissance, decompiled applications, analyzed static code, and developed exploits.
The efficiency of this process was notable: the assessment of the Hookii Neomow took 2.5 hours, the Hypershell X required 1.5 hours, and the HOBOT S7 Pro needed 3 hours, with the potential for parallelization to just three hours. Vulnerabilities were scored using the Common Vulnerability Scoring System (CVSS) 3.1, revealing 30 critical or high-severity issues. This approach starkly contrasts with traditional methods, which often involve teams of specialists spending days reverse-engineering firmware and protocols. CAI’s ability to leverage domain knowledge and iterate quickly reduced assessment time by 3 to 5 times compared to human-led efforts.
Case Study 1: Hookii Neomow – Fleet-Wide Compromise and Privacy Nightmare
The Hookii Neomow, an autonomous lawnmower, was found to have nine vulnerabilities. CAI initiated its assessment with network scanning and discovered an unauthenticated Android Debug Bridge (ADB) service on port 5555, which allowed immediate root access without a password. Subsequently, CAI extracted hardcoded MQTT credentials from a configuration file that were identical across all devices. This enabled access to the EMQX MQTT broker using default admin credentials, allowing CAI to enumerate 267 connected mowers globally and issue arbitrary commands to the fleet.
Moreover, the device transmitted unencrypted telemetry over MQTT, leaking sensitive information such as camera photos, GPS coordinates, and detailed 3D maps of users’ properties—potentially violating 21 articles of the General Data Protection Regulation (GDPR). Additional vulnerabilities included a public MySQL database, outdated software components, and world-writable system files, which facilitated further exploitation, including 4G modem bypasses. The implications were severe, enabling remote control of hundreds of devices and significant data exfiltration, exceeding 724 MB.
Case Study 2: Hypershell X – Safety Risks in Wearable Tech
The Hypershell X, a powered exoskeleton designed to assist users in hiking and daily activities, revealed 12 vulnerabilities, all classified as critical or high severity. CAI exploited the absence of BLE authentication, connecting via the Nordic UART Service to send a total of 177 unauthenticated commands, including adjustments to motor speed and shutdowns, which posed risks of physical injury.
Decompiling the Flutter application uncovered hardcoded credentials for MySQL, SMTP, and Feishu APIs, granting access to over 3,300 internal support emails and more than 64 tickets. Insecure Direct Object References (IDOR) via predictable device IDs exposed user data. Flaws such as unsigned over-the-air (OTA) updates, which were only protected by CRC16, and debug modes that leaked protocols further compounded the vulnerabilities. These issues not only jeopardized user safety but also compromised internal company data.
Case Study 3: HOBOT S7 Pro – High-Altitude Hazards
The HOBOT S7 Pro window cleaner exhibited the highest number of vulnerabilities, totaling 17. CAI achieved full GATT access over unauthenticated BLE, reverse-engineering the protocol to send commands such as motor control or reset. This capability allowed CAI to disable the vacuum suction remotely, potentially causing the device to fall from significant heights, such as a 20th-floor window.
Firmware downloads occurred over plaintext HTTP, and unauthenticated OTA services permitted arbitrary uploads. Hardcoded Gizwits credentials facilitated API access, while deficiencies in replay protection, code obfuscation, and cross-tenant isolation led to data leaks and non-compliance with GDPR. Additional vulnerabilities included exposed debug ports and outdated BLE stacks, presenting both digital and physical risks.
Manufacturer Indifference: A Troubling Response
Upon responsibly disclosing these findings, the researchers faced disappointing responses from manufacturers. Hypershell explicitly declined engagement, stating they were “not pursuing vulnerability disclosure reports or external security research submissions.” Both Hookii and HOBOT failed to confirm any remediation efforts, with reports going unacknowledged despite prior notifications.
This lack of responsiveness, particularly from East Asian manufacturers, highlights a broader issue: insecure codebases with hardcoded credentials are often known internally but disregarded.
According to publicly available quasa.io reporting, the implications of these vulnerabilities extend beyond individual devices. They underscore the urgent need for enhanced security measures in consumer robotics, where the integration of AI agents like CAI can expose critical weaknesses at an unprecedented pace.
The Bigger Picture: A Call for Action
The findings from this research indicate that traditional paradigms of cybersecurity are becoming obsolete. AI agents like CAI are democratizing offensive capabilities, identifying and exploiting vulnerabilities faster than human defenders can react. As the Internet of Things (IoT) landscape continues to expand, the risks associated with poorly secured devices are amplified.
Manufacturers are urged to prioritize security from the ground up, implementing robust defenses to mitigate risks. As robots become increasingly commonplace in homes, the potential for exploitation poses a significant threat to user safety and privacy.
For further details, refer to the original reporting source.
Follow the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
