Yesterday, I told you how a hacker ran me over with a robot lawn mower. We explained how thousands of these bladed Chinese robots, made by Yarbo, could be hijacked with ease — exposing people’s GPS coordinates, Wi-Fi passwords, email addresses, and more to any casual hacker who comes along.
Today, Yarbo has issued a thorough 1,200-word response that you can read in full below. The company is confirming the security researcher’s findings, apologizing, and providing a detailed plan to tackle many of its self-created security issues head-on. Yarbo writes that it’s already temporarily cut off remote access and is addressing many of its most head-smacking issues, like how root passwords were the same for every single robot and were left in easy places for hackers to find.
“In the future, each device will use its own independent credentials to prevent one affected device from impacting the entire fleet,” Yarbo writes. The company says its first wave of security updates should roll out within one week.
Importantly, though, Yarbo is not yet committing to remove the single most troubling thing about these robots. The company writes that it will still have a remote backdoor into Yarbo’s robots, only now one that is “limited to authorized internal company personnel, may only be used after user authorization has been obtained, and will be gradually brought under audit logging.”
To be clear, Yarbo already previously claimed that its remote access was only available to authorized employees; our story proved that was not true.
But giving the company the benefit of the doubt: why not remove the tunnel entirely, or make it an opt-in installation? Why do Yarbo’s customers not get to decide whether their robots have a persistent backdoor? I’ve asked the company those exact questions, and we’ll update with its answer.
Yarbo’s statement also tries to suggest that the vulnerabilities we’ve seen are because of “historical” or “legacy” services, implying that perhaps some of the company’s robots were more secure. We’ve asked Yarbo what percent of its robots are on those historical services as opposed to current ones.
Security researcher Andreas Makris, who discovered the vulnerabilities, says he hasn’t yet been able to check whether he can still access them after Yarbo’s changes. It sounds like the company is taking him seriously, now, though. “Yarbo has initiated direct communication with me and has taken the positive step of establishing a dedicated security response center. We are currently in discussions regarding the remediation process, and they have assured me that these fixes are their highest priority,” he says.
