Redazione RHC : 6 September 2025 09:20
An independent security specialist, known by the nickname BobDaHacker, discovered security flaws in Pudu Robotics (the world’s leading provider of commercial service robots). The vulnerabilities allowed attackers to redirect the robots to any location and force them to execute arbitrary commands.
Pudu Robotics is a Chinese company that manufactures robots that perform tasks ranging from serving food in restaurants with BellaBot to operating human-designed systems like elevators with FlashBot. According to Frost & Sullivan, the company held a 23% market share for these devices last year.
BobDaHacker discovered he could access the bot control software because administrative access was not blocked. To carry out this attack, the attacker needed a valid authorization token, which could be obtained through cross-site scripting or simply by creating a trial account designed to test the bots before purchasing them.
After the initial authentication, no further security checks were performed, allowing anyone to modify orders, move the bots to new locations, and rename them to make recovery more difficult after an attack.
In other words, the attacker was able to redirect ordered food to arbitrary destinations or even disable the entire fleet of restaurant robots. The researcher also notes that attackers could force FlashBot to damage office systems or steal intellectual property.
When the researcher attempted to contact Pudu Robotics representatives to inform them of the problem, he received no response. So, on August 12, BobDaHacker sent the first emails, but the technical support, support, and sales departments did not respond. After waiting until August 21, the specialist sent new emails again, contacting more than 50 company employees in an attempt to attract at least someone’s attention.
Having received no response, the researcher contacted customers of Pudu Robotics restaurants; Japanese restaurant chains Skylark Holdings and Zensho took the warnings seriously.
About 48 hours after BobDaHacker contacted customers, Pudu Robotics finally responded to his email. However, the expert wrote that the response was clearly written by ChatGPT. “They didn’t even bother removing the placeholder in the ChatGPT template. It’s simply an incredible effort,” the expert said.
The company thanked the specialist for discovering the vulnerabilities with the following message: “Thank you for your valuable contribution to our security. If you’d like to share more details or have any questions, please feel free to contact me directly,” the company representative wrote.
However, Pudu Robotics has since fixed the vulnerabilities discovered by the researcher and secured its systems.
On September 3, BobDaHacker updated his post and reported that, apparently, The company hadn’t ignored his messages. The initial emails hadn’t actually reached their intended recipients, but a report of the problems had subsequently been received through other channels. Subsequently, the developers began working on a fix, but the company only contacted the researcher when the fix was ready to be implemented.
Redazione