Food Delivery Robots Vulnerable to Hacks That Redirect Orders

A startling vulnerability in Pudu Robotics’ management APIs that allowed anyone with minimal technical skill to seize control of the company’s food delivery and service robots.

The vulnerability, which went unaddressed for weeks despite repeated responsible‐disclosure attempts, could have enabled malicious actors to redirect BellaBots and other Pudu models to deliver meals to unintended recipients, disrupt service in restaurants, and even compromise sensitive operations in hospitals and offices.

Pudu Robotics, the world’s largest commercial service-robotics manufacturer, supplies restaurants, hotels, hospitals, offices, and retail stores with a suite of products that includes:

• BellaBot, KettyBot, and PuduBot delivery robots.
• CC1 and PUDU SH1 cleaning robots.
• Disinfection robots with UV and chemical sprayers.
• Elevator-capable building-delivery robots with mechanical arms.

BobDaHacker’s investigation revealed that almost every API endpoint for Pudu’s robot-management platform lacked sufficient authentication checks.

While the system required valid tokens, it failed to verify user permissions or robot ownership. Attackers could:

• View any robot’s call history and accept up to 20,000 store IDs in a single, unthrottled request.
• Initiate, cancel, or reroute tasks on any robot anywhere in the world.
• Modify robot settings, including nicknames, configurations, and behavior patterns.
• Enumerate Pudu’s global store deployments and list all robots by store ID.

In a restaurant scenario, an attacker could have redirected a BellaBot carrying another diner’s meal to their own table, canceled all delivery requests during peak hours, or programmed robots to loop endlessly while playing music.

In office buildings, the FlashBot—a robot equipped with mechanical arms and elevator access—could have been commandeered to retrieve confidential documents from secured floors and deposit them at an exit.

In healthcare settings, malicious actors could have interfered with medicine delivery, sent cleaning robots into operating rooms, or bypassed critical disinfection tasks entirely.

BobDaHacker reported the vulnerabilities to Pudu’s sales, support, and technical teams beginning on August 12.

After receiving no response, he escalated the issue by emailing more than fifty company staff on August 21.

Weeks passed in silence as Pudu’s robots continued operating in vulnerable environments worldwide. On August 28, he contacted major customers—including Skylark Holdings, which manages over 7,000 restaurants in Japan, and Zensho, a leading chain operator—alerting them that their fleets were exposed to takeover.

Within forty-eight hours of this final escalation, Pudu’s security team miraculously “discovered” the reports and issued a templated acknowledgment thanking BobDaHacker for “responsible disclosure,” complete with a placeholder “[Your Email Address]” still intact.

Two days later, Pudu confirmed the vulnerabilities had been patched.

The incident highlights alarming lapses in security and corporate responsiveness. While Pudu boasts “ongoing commitment to security” on its website, it lacked even basic measures: no dedicated security contact, no authenticated API controls, and no timely handling of vulnerability reports.

Action only followed after the threat of reputational and financial damage when key clients were alerted.

The safety implications extend far beyond restaurant chaos. Hospitals that rely on Pudu robots for medicine delivery risked delayed or misdirected treatments.

Hotels and schools using these devices for room service or cafeteria logistics could have experienced service shutdowns and safety hazards.

In an era where automation plays an increasing role in critical operations, the Pudu breach underscores that robust security must match technological innovation.

Pudu Robotics now faces a reckoning: customers and regulators will demand stronger safeguards, transparent reporting channels, and swift remediation processes.

The company’s delayed response and reliance on automated, impersonal templates served only to erode trust.

As commercial service robots proliferate across sensitive environments, manufacturers must prioritize security from design through deployment. Otherwise, hungry diners may be the least of their customers’ worries.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.

Keep your files stored safely and securely with the SanDisk 2TB Extreme Portable SSD. With over 69,505 ratings and an impressive 4.6 out of 5 stars, this product has been purchased over 8K+ times in the past month. At only $129.99, this Amazon’s Choice product is a must-have for secure file storage.

Help keep private content private with the included password protection featuring 256-bit AES hardware encryption. Order now for just $129.99 on Amazon!

Help Power Techcratic’s Future – Scan To Support

If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.

As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!