A security researcher found the same root password in thousands of Yanbo robots and proved that the problem affects the entire line of devices.
Robot-gauge-loader weight under the quinter sounds like a convenient gadget for lazy care of the site, while someone from another country does not force a car with sharp blades to climb a person. It was this experiment that The Verge journalist Sean Hollister conducted when he checked the findings of the ethical hacker Andreas Macrisch in the Yarbo system.
Hollister lay on the ground in front of an autonomous lawn mower, and Macris from Germany remotely took control of himself. The car jerked forward, drove the journalist to his chest and could blade his body if the researcher had not stopped the team in time. Hollister was not injured, but the demonstration showed the main problem: the equipment connected to the Internet with physical dangerous mechanisms requires the safety of the level higher than that of an ordinary smart kettle.
Marriza claims to have been able to control all the Yanbo robots because the machines were “completely unprotected.” According to the researcher, even the press of the emergency button did not guarantee a stop, since the remote operator could send a new command and turn on the robot again. The most alarming detail concerned root password: all Yarbo devices had the same password.
In this scenario, an attacker could access not one lawn mower, but to a whole network of robots. Mackis has mapped more than 11 000 Yarbo devices around the world, actually showing a global network of connected machines that drive around private plots and work with blades. Possible consequences are not limited to petty wrecking like damage to the lawn in a neighbor. The management capture opens the way to injuries, surveillance, theft of equipment and the collection of sensitive data.
The physical threat was not the only one. Macris showed that through the vulnerabilities found, you can get the email addresses of owners, passwords from Wi-Fi and GPS coordinates of houses. A simple change of root password also did not solve the problem: after updating the firmware, Yarbo returned the password to the default value. According to the researcher, remote access was built-in intentionally, automatically unfolded on each robot, did not turn off the owner and recovered after removal.
Mackis published the results after warnings to Yanbo did not yield results. The company insisted that the robots remain “fully protected” and are “extremely controlled” by the owners. After the publication of The Verge, Yarbo’s position began to change. A company spokesman said the developers found a fix for at least one problem and were preparing additional security improvements.
The Yanbo story looks like an almost caricature of the risk, which has long been discussed by security experts: the more “smart” devices receive motors, cameras, GPS and constant connection to the network, the less right to weak protection remains for manufacturers. Error in the bulb application irritates. Error in a robot with blades can come to the owner herself.
Robot-gauge-loader weight under the quinter sounds like a convenient gadget for lazy care of the site, while someone from another country does not force a car with sharp blades to climb a person. It was this experiment that The Verge journalist Sean Hollister conducted when he checked the findings of the ethical hacker Andreas Macrisch in the Yarbo system.
Hollister lay on the ground in front of an autonomous lawn mower, and Macris from Germany remotely took control of himself. The car jerked forward, drove the journalist to his chest and could blade his body if the researcher had not stopped the team in time. Hollister was not injured, but the demonstration showed the main problem: the equipment connected to the Internet with physical dangerous mechanisms requires the safety of the level higher than that of an ordinary smart kettle.
Marriza claims to have been able to control all the Yanbo robots because the machines were “completely unprotected.” According to the researcher, even the press of the emergency button did not guarantee a stop, since the remote operator could send a new command and turn on the robot again. The most alarming detail concerned root password: all Yarbo devices had the same password.
In this scenario, an attacker could access not one lawn mower, but to a whole network of robots. Mackis has mapped more than 11 000 Yarbo devices around the world, actually showing a global network of connected machines that drive around private plots and work with blades. Possible consequences are not limited to petty wrecking like damage to the lawn in a neighbor. The management capture opens the way to injuries, surveillance, theft of equipment and the collection of sensitive data.
The physical threat was not the only one. Macris showed that through the vulnerabilities found, you can get the email addresses of owners, passwords from Wi-Fi and GPS coordinates of houses. A simple change of root password also did not solve the problem: after updating the firmware, Yarbo returned the password to the default value. According to the researcher, remote access was built-in intentionally, automatically unfolded on each robot, did not turn off the owner and recovered after removal.
Mackis published the results after warnings to Yanbo did not yield results. The company insisted that the robots remain “fully protected” and are “extremely controlled” by the owners. After the publication of The Verge, Yarbo’s position began to change. A company spokesman said the developers found a fix for at least one problem and were preparing additional security improvements.
The Yanbo story looks like an almost caricature of the risk, which has long been discussed by security experts: the more “smart” devices receive motors, cameras, GPS and constant connection to the network, the less right to weak protection remains for manufacturers. Error in the bulb application irritates. Error in a robot with blades can come to the owner herself.
