A comprehensive statement from a robot lawn mower company.
Yesterday, a report described how a hacker took control of a robot lawn mower. Thousands of Yarbo’s robots were easily compromised, exposing personal data like GPS locations and Wi-Fi passwords. Today, Yarbo responded in a detailed 1,200-word message, acknowledging the security flaws and outlining efforts to address these vulnerabilities. They confirmed the security issues highlighted by researchers, issued an apology, and announced a temporary suspension of remote access while fixing key security lapses, such as uniform root passwords across devices. Yarbo assures that future models will have unique credentials for each device, with initial updates due within a week.
However, Yarbo isn’t yet ready to remove a critical backdoor from its robots, retaining it with promises of authorization, limited access, and audit logging. In the past, Yarbo claimed that remote access was limited to authorized employees, a claim that proved false. Questions arise on why this feature persists and why users can’t opt-out. Yarbo suggests the vulnerabilities stem from “legacy” services, hinting that some models might be more secure, yet it remains unclear what portion relies on these outdated services.
Security researcher Andreas Makris, who revealed these holes, has yet to test Yarbo’s improvements post-changes. However, Yarbo has engaged in direct communication with Makris, emphasizing fixing these issues as a priority. Yarbo’s in-depth update engages with the specifics:
Kenneth Kohlmann, Co-founder of Yarbo, addresses the issues personally. Acknowledging serious vulnerabilities publicly disclosed by Andreas Makris, he accepts responsibility for the oversight. Yarbo’s response prioritizes system rectifications and outlines fixes made, those in progress, and strategic changes for future operations.
The company’s historical design choices are at the heart of these issues, particularly in remote diagnostics, access management, and data processing. Users lacked transparency and control over some legacy features. Authentication mechanisms failed to meet modern security expectations, necessitating a move toward individually auditable credentials.
Yarbo is phasing out outdated support infrastructure, upgrading OTA security measures with the first updates imminent. They stress user actions, requiring device connection to receive updates without impacting warranty status. The broader strategy focuses on sustaining robust security architecture, improving access controls, authorization models, and user visibility.
Some report aspects do not pertain to current operations or do not reflect security risks independently. However, the report asserts the importance of addressing the existence of FRP auto-restart mechanisms and file monitoring functions linked to remote access concerns.
Yarbo has established a dedicated security channel and is potentially introducing a bug bounty system to enhance long-term security protocols. Openness to collaboration with independent researchers remains, aiming to bolster transparency and consumer trust. As developments proceed, updates will follow.