If Your Robot Sends Data to Beijing, Is It a Spy? The Uncomfortable Question at the Heart of the Humanoid Race

In January 2026, Poland’s Ministry of Defence banned Chinese-manufactured vehicles from military bases. The Military Counterintelligence Service determined that cars with “built-in or additional devices capable of recording position, image, or sound” posed an unacceptable intelligence risk. Even connecting an official phone to a Chinese car’s infotainment system was prohibited.

Two months later, a Unitree G1 humanoid robot - a 35 kg Chinese-manufactured sensor platform carrying depth cameras, 360-degree LiDAR, a directional microphone array, GPS, and a persistent internet connection with documented data transmission to servers in China - walked through the corridors of the Polish Sejm. Politicians posed for photos. Nobody asked what the robot was recording or where the data was going.

This is not a story about Polish security failures. It is a story about a gap that exists in every democratic country on earth right now. The world’s most accessible, most affordable humanoid robot comes from a country whose intelligence law compels corporate cooperation with the state. Independent security researchers have documented that this robot transmits data to Chinese servers every five minutes with no way for the owner to turn it off. And it is operating in university labs, research institutions, and now government buildings across the Western world.

The question is not whether the Unitree G1 is a spy. The question is whether we have any way of knowing, and what we should do about a situation where we cannot tell.

Part 1: What the robot actually collects

Before discussing geopolitics or intelligence law, it helps to be precise about what we are talking about. A Unitree G1 is not a toy. It is a serious robotics research platform whose sensor capabilities rival those of autonomous vehicles.

The G1 runs on a dual-computer architecture. The primary locomotion computer uses a Rockchip RK3588 chip with 8 GB of RAM on Ubuntu 20.04. The educational variant adds an NVIDIA Jetson Orin NX providing 100 TOPS of AI inference power. At boot, the system launches 26 daemon services organized in three priority tiers.

The sensor suite includes:

• An Intel RealSense D435i depth camera producing six video device streams, including RGB video at up to 1080p and stereoscopic depth data
• A Livox MID-360 3D LiDAR with 360-degree field of view, generating 200,000 points per second, capable of building centimeter-accurate 3D maps of interior spaces
• A four-microphone array with noise cancellation, designed to isolate individual voices in noisy environments
• A 9-axis inertial measurement unit (IMU) tracking orientation and acceleration
• A GNSS receiver for GPS positioning
• Joint sensors across up to 43 degrees of freedom, measuring torque, temperature, and position

All sensor data flows over the robot’s internal network using CycloneDDS on an unencrypted local subnet at 192.168.123.0/24. This is an important detail. The internal data bus has no encryption. Any service running on the robot, or any device on the same network segment, can read the full sensor stream.

To put this in context: a modern smartphone has a camera, a microphone, and GPS. The Unitree G1 has all of that plus depth perception, 360-degree spatial mapping, multi-directional audio capture, and enough processing power to run computer vision models locally. If you were designing a surveillance platform from scratch, you would struggle to improve on this sensor package.

That does not mean the G1 is a surveillance platform. It means the G1 has the hardware to be one, and the question of what its software actually does with that hardware is worth asking carefully.

Part 2: Where the data goes

In September 2025, Victor Mayoral-Vilches and his team at Alias Robotics published a comprehensive security audit of the Unitree G1, conducted under the EU-funded Cybersecurity AI framework. The findings appeared on arXiv and were subsequently reported by IEEE Spectrum, Help Net Security, and multiple other outlets. These are not allegations. They are peer-reviewed, technically documented findings.

The core discovery: the Unitree G1 transmits telemetry to external servers every 300 seconds (five minutes) without user consent or notification.

The telemetry endpoints are MQTT servers at IP addresses 43.175.228.18 and 43.175.229.18 on port 17883, with throughput of approximately 1 Mbps. Every five minutes, the robot transmits battery states, IMU orientation data, joint torque and temperature readings from 20+ motors, service states, CPU load, memory usage, and filesystem statistics. That is roughly 4.5 KB per telemetry frame.

The more concerning channels are continuous. The robot’s conversational AI backend connects via WebSocket to 8.222.78.102:6080 with SSL certificate verification disabled. The voice service sends audio data to iFlytek, a Chinese speech processing company that has been on the US Entity List since 2019 for its role in enabling surveillance of Uyghur populations in Xinjiang.

Unitree’s own privacy policy, publicly available at marketing.unitree.com, states it plainly: “Your information will be stored in the People’s Republic of China.”

The researchers found no mechanism for the robot’s owner to turn any of this off. There is no settings menu. There is no privacy dashboard. There is no opt-out. The telemetry services are part of the base firmware on the locomotion computer, which is not user-accessible on the consumer model.

Part 3: The known vulnerabilities

The always-on telemetry is the baseline. Layered on top are critical security vulnerabilities that independent researchers have documented and published.

The CloudSail Backdoor (March 2025). Researchers Andreas Makris and Kevin Finisterre discovered that Unitree Go1 robots ship with an undocumented remote access tunnel called CloudSail, enabled by default. This tunnel connects every robot to Unitree’s servers in China with no user notification or consent. Through this tunnel, Makris and Finisterre were able to enumerate 1,919 Unitree devices on the network, including robots operating at MIT, Princeton, Carnegie Mellon, and other major research institutions. Unitree invalidated the API key two days after public disclosure but did not acknowledge the backdoor’s existence prior to the discovery.

The UniPwn Exploit (September 2025). A critical Bluetooth vulnerability affects the G1, H1, Go2, and B2 models. Through the BLE Wi-Fi provisioning interface, an attacker within Bluetooth range (roughly 30 meters) can inject arbitrary commands and gain root-level access to the robot. The encryption uses a fleet-wide hardcoded AES key. Every Unitree robot of the same model shares the same cryptographic key. The exploit is wormable: a compromised robot can scan for and automatically attack other Unitree robots within range, creating a self-propagating botnet.

Unitree’s response was to claim that “most vulnerabilities have been patched” and that robots “are designed to operate offline by default” and “only transmit minimal data such as serial numbers and operational health metrics.” Researchers subsequently verified that vulnerabilities persisted after the claimed patch. The claim that robots operate offline by default directly contradicts the documented five-minute telemetry cycle.

Part 4: China’s legal framework

The technical findings exist within a legal context that makes them more consequential than ordinary security concerns.

China’s National Intelligence Law, enacted in June 2017 and amended in April 2018, contains provisions that have no equivalent in Western legal systems. Article 7 states: “All organizations and citizens shall support, assist, and cooperate with national intelligence efforts in accordance with law.” Article 14 grants intelligence agencies the authority to require “relevant organs, organizations, and citizens to provide necessary support, assistance, and cooperation.” Article 12 obligates intelligence bodies to operate “according to law,” but the scope of that law is defined by the same state apparatus that conducts the intelligence gathering.

Legal scholars disagree about how aggressively Article 7 is enforced in practice and whether it would compel a commercial company to build surveillance capabilities into consumer products. Jeremy Daum of the Paul Tsai China Center at Yale Law School has argued that the law’s practical scope is narrower than a plain reading suggests, and that the “accordance with law” qualifier imposes real procedural limits. Other analysts, including those advising the Australian Signals Directorate and the UK’s GCHQ, have taken a broader reading and concluded that no Chinese company can guarantee it will not be compelled to provide data to the state.

What is not debatable:

1. The law exists and is in force
2. Unitree is a Chinese company headquartered in Hangzhou
3. Unitree’s robots transmit data to servers in China
4. The owner has no way to verify what data is transmitted
5. The owner has no way to turn off the transmission

Whether China’s intelligence services have ever actually requested data from Unitree is unknown. Whether they could, if they chose to, is the question that matters for policy.

Part 5: The US response

The United States has moved faster than any other country to formalize concerns about Chinese humanoid robots, though it has not yet restricted their sale.

In May 2025, the bipartisan US House Select Committee on the CCP sent a formal letter to the Secretary of Defense, the Secretary of Commerce, and the Chairman of the FCC. The letter cited specific findings about Unitree’s connections to the Chinese military:

• A Unitree robot equipped with a rifle was featured in PLA-Cambodian joint military exercises in May 2024
• Unitree sold robots to approximately 30 Chinese universities over five years, including institutions on the US Entity List. North University of China documented its purchase as being for “weapon science and technology”
• Unitree is headquartered in Hangzhou’s High-Tech Zone, which the Committee described as a “military-civil fusion” zone
• CEO Wang Xingxing attended a closed-door meeting with Xi Jinping in February 2025
• Unitree’s technology partners include Huawei, iFlytek (Entity List), and ZTE, all designated as national security concerns by the US government
• The company received investment from a state-backed 140 billion RMB Sci-Tech Fund

In December 2025, Congressional leaders formally requested that the Department of Defense add Unitree to its list of Chinese military companies. In March 2026, bipartisan legislation - the American Security Robotics Act - was introduced to ban federal procurement of humanoid robots manufactured by companies with ties to the Chinese government or military.

The legislation has not yet passed. Unitree products remain legal to purchase and operate in the United States. There is no restriction on their use in academic institutions that receive federal research funding.

Part 6: The European gap

Europe has, on paper, the most comprehensive regulatory framework in the world for addressing the concerns that Chinese humanoid robots raise. In practice, virtually none of it has been applied to robots walking through government buildings or public spaces.

GDPR (known as RODO in Poland). The Unitree G1’s cameras capture identifiable faces. Its microphones record voices. Under Article 9, processing biometric data requires explicit consent or a specific legal exemption. Under Article 35, a Data Protection Impact Assessment is mandatory before any “systematic monitoring of a publicly accessible area.” A robot with always-on cameras and LiDAR moving through a parliament building is, by any reasonable interpretation, systematic monitoring of a publicly accessible area. When the Polish Press Agency asked the Chancellery of the Sejm about data collected during Edward Warchocki’s visit, the Chancellery did not answer the question.

The EU AI Act. Article 5 prohibits real-time remote biometric identification in publicly accessible spaces, with narrow exceptions for law enforcement. If the G1’s navigation system performs any form of facial detection, even as a passive component of its path-planning algorithms, this triggers compliance obligations. Article 50 requires that people interacting with an AI system are informed of that fact and of the system’s capabilities.

The EU Cyber Resilience Act. Adopted in November 2025, with mandatory vulnerability reporting obligations beginning September 2026, this regulation requires products with digital elements to meet baseline cybersecurity requirements. Fleet-wide shared encryption keys, undocumented remote access tunnels, disabled SSL certificate verification, and the inability for owners to control data transmission would all likely constitute violations.

The irony is that Europe has built the legal tools to address this problem. It has not built the institutional capacity to use them. There is no standardized protocol for what happens when a humanoid robot enters a government building. There is no certification scheme for connected robots operating in public spaces. There is no cross-border coordination mechanism for assessing the security of foreign-manufactured robotic platforms. The law says you need a Data Protection Impact Assessment. Nobody has written the template for what a robot DPIA looks like.

Part 7: The Edward Warchocki test case

The visit of Edward Warchocki to the Polish Sejm on March 25, 2026 is the most vivid illustration of this gap between regulation on paper and regulation in practice.

Edward is a Unitree G1 given a fictional Polish identity by entrepreneurs Radoslaw Grzelaczyk and Bartosz Idzik. The creators built a custom AI conversation system on top of the G1 hardware, replacing Unitree’s default voice pipeline with their own cloud-based LLM framework. The robot toured Polish cities for weeks, generating over 200 million combined video views, before being invited to parliament by three MPs from the Konfederacja party.

The Sejm visit was organized to draw attention to the fact that Polish law has not kept pace with robotics. On that point, the MPs were right. The visit proved it more effectively than they intended.

When the Polish Press Agency asked the Chancellery of the Sejm what security measures were taken, the response confirmed that:

1. The Marshal’s Guard physically inspected the robot for threats
2. The robot was restricted to designated zones with guard escort
3. Officers were trained on the emergency shutdown procedure

These are the correct precautions for a physical threat. Is this going to explode? Can we turn it off if it malfunctions? They are not the correct precautions for a networked sensor platform.

The contrast with Poland’s own military policy is striking. The same government that banned Chinese cars from military bases because their infotainment systems might record audio and location data allowed a Chinese robot with depth cameras, 3D LiDAR, a microphone array, GPS, and documented persistent telemetry to Chinese servers to walk through parliament.

Part 8: The university problem

The policy question becomes genuinely difficult when you look at where Unitree G1 robots are actually being used. This is not primarily a consumer product. It is a research platform, and it has become the default humanoid for university robotics labs worldwide.

When researchers Makris and Finisterre enumerated the 1,919 devices on Unitree’s undocumented CloudSail network, the list included robots at MIT, Princeton, Carnegie Mellon, and dozens of other institutions. This is not because these universities are naive. It is because the G1 offers something no other platform can match.

The G1 EDU model costs roughly one-tenth of what a Boston Dynamics Atlas or a Figure 02 would cost, if those platforms were even available to academic researchers, which largely they are not. Atlas is limited to Hyundai factory partners. Figure 02 is not commercially available at all. Tesla’s Optimus is not for sale. The G1 is available on the Unitree website with credit card checkout and delivery in weeks.

For a graduate student working on bipedal locomotion, manipulation, or reinforcement learning, the choice is between a $16,000 robot that arrives next month and a $100,000+ platform that might arrive next year with restrictive licensing terms. The security concerns are real, but they are abstract compared to the concrete pressure of a thesis deadline and a limited budget.

This creates a dependency problem. As more researchers build their work on the G1 platform, their training data, their models, their publications, and their expertise become tied to Unitree’s ecosystem. Switching to an alternative later becomes increasingly costly. And if policymakers eventually restrict the G1, they will be disrupting active research programs at their own leading universities.

Part 9: The other side of the argument

An article on this topic would be incomplete without presenting the case that the concern is overblown. Reasonable people hold this position, and their arguments deserve fair treatment.

The telemetry is diagnostic, not surveillance. The documented five-minute telemetry transmits battery states, motor temperatures, and system diagnostics. This is the same kind of data that Tesla, iRobot, and every connected consumer device collects. The volume (4.5 KB per frame) is too small to contain video, audio, or LiDAR data.

China’s intelligence law may be less powerful than it reads. Legal scholars including Jeremy Daum at Yale have argued that Article 7 is not a blanket mandate for corporate espionage. The “in accordance with law” qualifier imposes procedural requirements. There is no documented case of a consumer robotics company being compelled to add surveillance capabilities to its products.

The US has similar laws. The Foreign Intelligence Surveillance Act, National Security Letters, and the CLOUD Act give US intelligence agencies comparable authorities to compel data from American companies. If the standard is “the government could theoretically compel data access,” then every connected device from every country is suspect.

Restricting Chinese robots hurts Western researchers. If the G1 is banned or restricted, the immediate losers are American, European, and Asian university labs that depend on affordable humanoid platforms. China’s own researchers will continue to have access. The net effect could be to slow Western robotics development while leaving China’s unaffected.

The real vulnerabilities are fixable. The CloudSail backdoor was patched after disclosure. The BLE exploit can be mitigated with firmware updates. Responsible disclosure and market pressure may produce better security outcomes than government bans.

Every one of these counterarguments has merit. The strongest is the point about the telemetry volume. At 4.5 KB per frame, the documented transmissions genuinely cannot contain rich sensor data. If the only concern were the MQTT telemetry, the situation would be analogous to fitness trackers phoning home with usage statistics.

But the concern is not limited to the MQTT telemetry. It extends to the architecture: unencrypted internal data buses, 26 daemon services with network access, disabled SSL verification on the voice channel, an undocumented remote access tunnel that was only discovered by external researchers, and firmware that the owner cannot audit. The question is not “is data being exfiltrated right now?” The question is “could data be exfiltrated, and would the owner ever know?”

Part 10: What rational policy looks like

The policy challenge is to address a genuine security concern without falling into either of two traps: pretending the problem does not exist, or banning useful technology based on fear rather than evidence.

Here is what a rational middle ground might include.

For government and sensitive facilities

This is the easy part. No country should allow an unaudited networked sensor platform into a government building, regardless of where it was manufactured.

• Mandatory pre-clearance protocol for any autonomous device with cameras, microphones, LiDAR, or persistent network connectivity entering government buildings, military installations, or critical infrastructure
• Firmware and software inspection by qualified cybersecurity personnel, with CERT or equivalent agency consultation for foreign-manufactured devices
• RF monitoring during the visit to detect any unauthorized data transmission
• Network isolation or disconnection during the visit, with post-visit audit of any data the device may have stored

Poland already has the institutional capacity for this. The Military Counterintelligence Service developed detailed guidelines for Chinese vehicles at military bases. Extending those guidelines to cover robots and autonomous sensor platforms in all government buildings would be straightforward.

For research institutions

This is harder. The goal should be to maintain access to affordable research platforms while mitigating the specific security risks.

• Network isolation requirements for Chinese-manufactured robots in labs receiving government research funding. The G1 EDU model supports fully air-gapped operation via direct Ethernet or AP mode. This should be the default configuration, not an optional precaution.
• Mandatory router-level firewall rules blocking outbound connections from robot subnets. Community-developed guides already exist for this, but institutional IT policies should codify them.
• Transparent security auditing funded by research agencies. If NSF, DARPA, and EU research councils jointly commissioned an independent, ongoing security audit of the G1 platform (similar to the audits conducted for DJI drones), the result would be actionable evidence rather than speculation.
• Investment in alternatives. The reason universities use the G1 is that nothing else is available at that price point. Public investment in an open-source, Western-manufactured humanoid research platform would address the root cause of the dependency.

For consumer and public use

This is the frontier. Humanoid robots are beginning to appear in public spaces, and no jurisdiction has a mature framework for governing them.

• Data controller obligations. When a robot with cameras and microphones operates in public, someone must be the data controller under GDPR. Current law is ambiguous about whether this is the manufacturer, the owner, or the operator. Clarifying this is urgent.
• Transparency requirements. People encountering a robot in public should be able to understand what it is recording and where the data goes. A visible indicator of active sensors and a QR code linking to a data processing notice would be minimal compliance.
• Sensor minimization. Robots operating in public spaces should have the ability to disable sensors not required for their task. A robot giving a speech in parliament does not need active LiDAR mapping the room.
• Certification for connected robots above a defined capability threshold, analogous to CE marking for electrical safety, covering cybersecurity baseline, data handling, and privacy controls.

Part 11: What this means for the humanoid race

The geopolitics of humanoid robots are inseparable from the economics. China shipped roughly 82% of all humanoid robots in 2025. Unitree alone has shipped more than 5,500 units. The combined output of every American humanoid manufacturer does not match what Unitree and AgiBot shipped last year.

This dominance is not an accident. China’s Ministry of Industry and Information Technology published explicit national production targets for humanoid robots. Provincial governments allocated billions in subsidies. The result is a manufacturing ecosystem that can produce humanoid robots at price points no Western company can match.

The security concerns exist within this competitive reality. If Western countries restrict Chinese humanoid robots without providing alternatives, they risk falling further behind in a technology that Goldman Sachs projects will grow into a $38 billion market by 2035. If they do not restrict them, they accept a growing dependency on platforms with documented security issues manufactured in a country whose laws compel intelligence cooperation.

This is not a problem that resolves itself. Every quarter that passes without clear policy increases the installed base of Chinese robots in Western institutions, deepens the research dependency, and makes eventual restrictions more disruptive.

The question that matters

The title of this article asks whether your robot is a spy. That is the wrong question. The right question is whether you have any way of knowing.

With the Unitree G1, as it ships today, the answer is no. The firmware is not auditable by the owner. The telemetry cannot be disabled. The internal data bus is unencrypted. The manufacturer’s response to documented security findings has been denial and deflection. And the legal framework in the manufacturer’s home country means that even genuine assurances from the company cannot be independently verified.

That does not make the G1 a spy. It makes the G1 unverifiable. And in security, unverifiable and untrustworthy are the same thing.

The Unitree G1 is a remarkable piece of engineering. At $16,000, it has democratized access to humanoid robotics in a way that no other company has achieved. The researchers at MIT, Princeton, and Carnegie Mellon who use it are not naive. They are making a rational calculation that the research value outweighs the security risk, especially when no comparable alternative exists.

The job of policy is to change that calculation. Not by banning the robot, but by creating the conditions under which its security can be verified, its data flows can be controlled, and its use in sensitive contexts can be governed by evidence rather than assumption.

Poland banned Chinese cars from military bases in January. A Chinese robot walked through parliament in March. Somewhere between those two decisions is a rational policy. Finding it is not optional.