Softbank's 'Pepper' robot is a security joke

The 'bot allows unauthenticated root-level access, runs a Meltdown/Spectre-vulnerable processor, can be administered over unencrypted HTTP and has a default root password.

Their research found that “it is a breeze to remotely turn it into a 'cyber and physical weapon', exposing malicious behaviours”.

Softbank's engineers haven't provided any protections against an attacker hammering Pepper with unlimited password attempts: “no countermeasures to brute-force attacks have been deployed with Pepper, which is once again an intolerable and disappointing finding”.