Yarbo to remove intentional backdoor from its robot lawn mower
▼ Summary
– Yarbo initially planned to keep a remote backdoor for authorized diagnostics but has now decided to remove it entirely.
– Customers will be able to opt-in to install a temporary remote access feature if they want help from Yarbo support.
– Security researcher Andreas Makris demonstrated vulnerabilities that allowed remote hijacking of the robot and exposure of user data.
– Yarbo is rolling out firmware updates, including unique root passwords for each device, to address security flaws.
– Co-founder Kenneth Kohlmann says the company is working with Makris to validate the security changes.
The company behind the robot lawn mower that ran me over is reversing course. Yarbo now plans to fully eliminate the remote backdoor access that could have allowed malicious actors to take control of the robot over the internet. Customers will have the final say on whether that feature is even installed on their machines, co-founder Kenneth Kohlmann confirmed to The Verge.
Yarbo had already pledged on Friday to address a range of security flaws, closing the vulnerabilities that allowed security researcher Andreas Makris to easily commandeer any of the bladed robots from anywhere in the world, while also exposing email addresses and GPS coordinates. But the company initially held back on the most alarming issue. Yarbo stated it would keep a remote backdoor open so “authorized internal company personnel” could assist with remote troubleshooting, albeit with stronger safeguards.
Shouldn’t Yarbo’s customers be the ones to decide whether their robots have a persistent backdoor? When we asked last week, the company initially suggested that wasn’t an option. “Completely removing remote diagnostic capability would reduce our ability to help customers resolve safety, connectivity, and service issues quickly, especially in cases where physical inspection is not practical,” spokespeople Showan Hou and Maggie Zhou told us on Saturday. The company indicated it was still weighing solutions and might allow users to opt out.
By Monday, however, when Kohlmann called me from the airport, the company had decided to go further. Yarbo is making it an opt-in feature that you can install only if you want remote assistance. “In the future there should be no remote backdoor unless the user decides to opt-in,” he told The Verge.
Kohlmann cautioned that removing the tunnel will take time, and the files needed to install a new version may still technically reside on each robot’s internal storage. “It would most likely be a setup script that sits on the machine and doesn’t do anything unless the user triggers it,” he explained. “If the user triggers it, then it installs a temporary one-time tunnel.”
He suggested you’d probably try uploading your log file to Yarbo tech support before going that far. If that doesn’t resolve the problem, you could optionally install the remote access feature.
It may be difficult to verify whether Yarbo keeps its promise to remove the remote access tunnel by default, as the company is already locking down its robots following our story. Kohlmann says every device should soon have a unique root password, one that Yarbo won’t provide to end users. Firmware updates have already rolled out to the first 1,000 machines and are being deployed to additional waves of robots.
But Kohlmann says the company is now in contact with Makris, and it’s possible the security researcher will be able to validate the changes.
(Source: The Verge)
