Vulnerabilities in Pudu’s Control Software Allow Hackers to Redirect Robots and Steal Intellectual Property

A researcher has discovered a critical security flaw in the control software of Pudu Robotics, a Chinese company that supplies over 100,000 robots to restaurants and other establishments. The vulnerability, which allows hackers to redirect the robots to anywhere and make them follow any command, has been described as a “free-for-all” by the researcher, who has been digging into the company’s systems since August 12.

According to the researcher, known as Bobdahacker, the issue lies in the lack of proper authentication and authorization checks in Pudu’s backend software. This means that an attacker with a valid auth token can exploit the vulnerability to redirect food orders, shut down the entire fleet of restaurant robots, or even steal intellectual property.

“We were able to reset orders, move the robots to new locations, and rename them to make recovery that much harder,” Bobdahacker said in a report. “It was like we had the keys to the kingdom.”

The researcher discovered that the vulnerability was caused by a lack of security checks in the company’s software, which allowed anyone to reset orders, move the robots to new locations, and rename them. This made it difficult for the company to track and recover the robots, and potentially allowed hackers to steal sensitive information.

“It’s a classic case of a company being too big to care,” Bobdahacker said. “They were so focused on making money that they neglected to secure their systems. But when we started contacting their customers, they finally took notice.”

Pudu’s robots are used in a variety of settings, including restaurants, hotels, and hospitals. The company’s software is designed to allow users to control and manage the robots remotely, but the vulnerability discovered by Bobdahacker allows hackers to take control of the robots and use them for malicious purposes.

The incident highlights the need for companies to prioritize security and take proactive measures to protect themselves against potential threats. Pudu has since apologized for the vulnerability and thanked Bobdahacker for his efforts in following responsible disclosure practices.

“We take the security of our systems very seriously,” a spokesperson for Pudu said. “We have taken immediate action to address the vulnerability and prevent it from being exploited. We appreciate the researcher’s efforts in helping us identify and fix the issue.”

The incident also raises questions about the security of other companies that use Pudu’s software. The company’s robots are used in over 1,000 cities around the world, and the vulnerability discovered by Bobdahacker could potentially affect thousands of users.

“It’s a wake-up call for companies to take security seriously,” said a cybersecurity expert. “Companies need to prioritize security and take proactive measures to protect themselves against potential threats. This incident highlights the need for companies to have robust security measures in place to prevent vulnerabilities like this from being exploited.”

Pudu has since taken steps to address the vulnerability and prevent it from being exploited. The company has locked down its systems and eliminated the security hole, and is working to implement additional security measures to prevent similar vulnerabilities from being discovered in the future.

The incident serves as a reminder of the importance of prioritizing security and taking proactive measures to protect against potential threats. Companies need to take security seriously and have robust security measures in place to prevent vulnerabilities like this from being exploited.