We interviewed Kenneth Kohlmann, co-founder of Yarbo.
The company behind the robot lawn mower that caused an incident has changed its stance. Yarbo will now completely eliminate the remote backdoor access that allowed potential reprogramming of the robot over the internet by malicious actors. Yarbo customers will have the option to decide whether this feature should be installed, as pledged by co-founder Kenneth Kohlmann to The Verge.
Last week, Yarbo had already promised to address numerous security issues by closing the vulnerabilities that allowed security researcher Andreas Makris to gain control over the robots from afar, while also exposing email addresses and GPS locations. However, regarding the primary vulnerability, Yarbo previously stopped short of a complete solution. The company initially intended to keep a remote backdoor accessible for “authorized internal company personnel” to conduct troubleshooting but promised more safeguards.
Yarbo’s customers should decide if their robots have a persistent backdoor. When questioned, the company initially indicated a reluctance to fully remove remote diagnostic capabilities, citing reduced ability to assist customers promptly. Spokespeople Showan Hou and Maggie Zhou had stated on Saturday that while solutions were being considered, an opt-out feature was possible.
By Monday, Kohlmann confirmed that the company decided to make it an opt-in feature for users requiring remote assistance. “In future, there should be no remote backdoor unless the user decides to opt-in,” he told The Verge.
Kohlmann mentioned it will take time to remove the tunnel, and necessary files for a new version might still be on each robot’s internal storage. “A setup script would likely reside on the machine, doing nothing until activated by the user,” he said, explaining it would install a temporary one-time tunnel if triggered.
Before using such a feature, users would likely attempt uploading log files to Yarbo’s tech support. If further steps were needed, users could optionally install the remote access feature.
Determining if Yarbo follows through with removing the remote access tunnel by default might be challenging, as the company, rightly, is securing the robots post-story publication. Every device will soon have a unique root password not provided to users; firmware updates have already been deployed to the initial 1,000 machines, with more planned.
Yarbo is now in touch with Makris, and the possibility exists for the security researcher to verify these changes.