Alpha 2 is an adorable humanoid robot that can teach, be a personal assistant, or provide entertainment through its inbuilt speakers and flexible joints. Promotional videos from its makers show the knee-high bot helping with chores around the house and passing a screwdriver to someone fixing faulty plumbing.

Now ethical hackers have found a way to hijack the robots controls, turning its tiny screwdriver holding hand into a weapon. Not only could someone remotely control movements, systems controlling cameras and speakers are also vulnerable.


The robot uprising has begun and it's about to change your life Robots The robot uprising has begun and it's about to change your life

Earlier this year, computer scientists from security consultancy IOActive claimed they could hack the popular household robots. Now, the group has revealed details of how hackers could take control and published a series of videos showing their vulnerabilities.

Read next A data fail left banks and councils exposed by a quick Google search A data fail left banks and councils exposed by a quick Google search

UBTECH's Alpha 2 robot is shown repeatedly stabbing a tomato with a screwdriver. Nao and Pepper, made by Japan's Softbank, can have their movements controlled and the researchers were able to view the onboard camera's feed remotely. The researchers also hacked into the controls of a giant arm from Universal Robots that's used on factory production lines.

In order to see this embed, you must give consent to Social Media cookies. Open my cookie preferences.


"A hacked robot can act as an insider threat in organisations, industries or homes," Lucas Apa and Cesar Cerrudo from IOActive write in a technical paper detailing the security flaws. "Their capabilities can be subverted and used for multiple purposes by outsiders that exploit remote vulnerabilities". The problems with the machines are described as "critical" and the researchers claim they "could have been prevented by implementing well-known cybersecurity practices". The hacks were achieved by exploiting unencrypted data connections, physical access to the robots and problems with their authentication protocols.

In Pepper and Noa, the Naopqi software does not perform an authorisation check when it is in operation. As a result, using a piece of code allows anyone to view a video feed from the robots' front cameras. "[The] same attack allows accessing most of the robots built-in modules, microphones, body control, databases, network cards, VPN secrets, face recognition modules," the technical paper explains.

In order to see this embed, you must give consent to Social Media cookies. Open my cookie preferences.

The two researchers reported the vulnerabilities to the relevant companies earlier this year, but say the response was disappointing. While some acknowledged their work, most failed to act on specific details of the vulnerabilities. This means some of the vulnerabilities may still exist in robots in the wild, although there is no indication that they have been exploited by hackers.


UBTECH said the work was an "exaggerated depiction" of its open-source platform and that it has "fully addressed" the concerns raised by IOActive. Meanwhile, a Softbank spokesperson said it has fixed the issues and Universal Robots said it was "aware of the report".

In February, the two researchers released the non-technical details of vulnerabilities they found in the robots. A paper, titled Hacking Robots Before Skynet, details their fears around robotics manufacturers failing to treat cybersecurity as a serious priority in their products. "Our results show how insecure and susceptible current robot technology is to cyberattacks," they wrote online at the time.

This article has been updated to include comment from the companies involved.