Is building autonomous robots equipped with sharp oscillating blades that roam your front yard a good idea? What about connecting them to the internet?
We’ll tell you what’s definitely a bad idea: leaving these machines painfully vulnerable to hackers.
Just ask reporter Sean Hollister for The Verge, who suddenly found himself on the, uh, verge of experiencing a grisly incident after someone took control of his Yarbo robot lawn mower.
“I’m lying in the dirt. It’s coming for me. Then, with a lurch, it’s climbing up my chest,” Hollister wrote in a riveting new piece for the outlet. “If Andreas Makris doesn’t stop the 200-pound robot lawn mower in time, it could drag its blades across my body.”
Hollister, fortunately, wasn’t harmed in the making of this article. Makris, a white hat hacker nearly 6,000 miles away in Germany, merely wanted to prove a point.
“I can do whatever I want with all the bots,” Makris told The Verge. “It’s completely unsecured.”
Even if someone pressed the emergency stop button, he added, a hacker like himself could send another command to turn it back on.
Alarmingly, the Yarbo robots all had the same root password, Makris found. In theory, a black hat hacker who discovered this vulnerability could seize control of an entire army of Yarbo robots, since the security flaw is present in all of them. In fact, he created a map that showed the locations of over 11,000 Yarbo robots across the world, forming a global smart lawnmower panopticon.
It raises the possibility for all kinds of havoc. Perhaps someone could pull off an impressively petty act of sabotage against a nemesis neighbor, or start creating crop circles around the country to stoke an old-fashioned UFO panic. Or they could use it to seriously harm someone or spy on them. Maybe they could even steal the autonomous lawnmowers. In any case, it’s not something that should be happening.
The threat isn’t just physical: Makris also demonstrated he could pull the robot owner’s email addresses, wi-fi passwords, and the GPS coordinates of their house.
Even changing the root password wouldn’t necessarily protect owners, either, because every time a Yarbo robot updates its firmware, it resets the root password back to the default, Makris found. And there’s a twist: it appears that this backdoor for remotely accessing the robots was intentionally created by Yarbo.
“It is deployed automatically to every robot, cannot be disabled by the owner, and is actively restored if removed,” Makris told The Verge.
Makris published his findings, after his warnings to Yarbo fell on deaf ears. The company insisted that “your Yarbo remains completely secure and under your exclusive control.”
That’s what prompted Hollister to throw himself under one of the autonomous lawnmowers. “As the first hundred pounds of metal, plastic, and far-too-hackable computer pin my body to the ground — and Makris eventually, thankfully, backs off — I realize this science experiment wasn’t quite as safe as I thought,” he wrote.
Thanks to Makris’s perseverance, and perhaps a little help from Hollister’s absurd stunt, Yarbo finally took notice. Though the company initially claimed its robots’ “diagnostic environment is not publicly accessible,” a senior public relations manager told The Verge that it had identified a fix for at least one of the issues, and promised heaps of other improvements to ensure that the roaming blade-wielding machines aren’t sleeper cells in waiting.
More on robots: Video Shows Amazon Drone Dropping Package Into Pond