Update: Vodacom and Nedbank have responded saying the Pepper robots used by the firms are safe. You can read more here.

Pepper is a friendly robot that you might’ve seen online greeting customers or helping them order pizzas.

Sadly the friendly humanoid bot is hiding a terrible secret within its silicon.

That secret is that Pepper is woefully unequipped when it comes to security. Researchers at Örebro University and the Technical University of Denmark conducted a number of penetration tests to see how well Pepper was secured.

“In this paper, we performed a set of different security assessments, both automated and manual, over a human-shaped social robot manufactured by SoftBank Robotics, namely Pepper. In our investigation, we found a troublesome number of serious security flaws which exhibit that the manufacturer extensively neglected any sort of security assessments before commercializing their product,” say the researchers.

These flaws include:

  • Spectre/Meltdown vulnerability
  • Admin page is not encrypted
  • No brute force countermeasures
  • Root password can be easily changed and the default password is well documented
  • Pepper could be controlled remotely

The researchers go on to say that Pepper could be used to spoof user credentials, steal data stored on the bot and even hack other connected devices. Pepper can even be used to physically harm humans.

The researchers have lambasted Pepper’s maker saying Softbank Robotics took a product designed for research and turned it into a commercial device without thinking about the security.

“Manufacturers should consider security aspects of their products, before selling them on the market. Until now, traditional IoT devices were very simple, therefore their security flaws did not raise enough awareness about the consequent risks. Now, we are starting to deal with devices that cannot only jeopardize human beings’ security, but also their safety,” wrote the researchers.

What concerns us is that one of these robots is being used by Nedbank.

Vodacom also deployed a Pepper robot earlier this year but it is unclear whether the bot is still in operation.

We have contacted Nedbank and Vodacom to determine whether the firms are aware of Pepper’s security flaws and how it plans to deal with the bots. As soon as we have official word from the firms we will be sure to update you.


An earlier version of this story incorrectly stated that Nedbank hoped to launch 200 Pepper robots. That is incorrect, the bank plans to launch some 200 software robots unrelated to the Pepper robot by the end of 2018.

The offending sentence has been removed.

[Source – arXiv:1805.04101] [Image – CC BY SA Franklin Heijnen]


Brendyn Lotz writes news, reviews, and opinion pieces for Hypertext. His interests include SMEs, innovation on the African continent, cybersecurity, blockchain, games, geek culture and YouTube.