A hacker ran me over with a robot lawn mower

黑客用割草机器人从我身上碾过

Forget robovacs — Yarbo’s bladed robots are an even bigger security nightmare. 别再盯着扫地机器人了——Yarbo 的带刃机器人才是更大的安全噩梦。

I’m lying in the dirt. It’s coming for me. Then, with a lurch, it’s climbing up my chest. If Andreas Makris doesn’t stop the 200-pound robot lawn mower in time, it could drag its blades across my body. 我躺在泥地上。它正向我冲来。接着，随着一阵颠簸，它爬上了我的胸口。如果 Andreas Makris 不能及时停下这台 200 磅重的割草机器人，它的刀片可能会从我身上碾过。

Makris certainly can’t reach over and hit the emergency stop button — he’s nearly 6,000 miles away, having hacked this robot from the other side of the planet, to demonstrate the gaping security holes in Yarbo’s robot lawn mowers. And I’ve made the questionable decision of lying down in the mower’s path — to see just how far Makris, the security researcher who discovered those flaws, is able to push the mower. Makris 当然无法伸手按下紧急停止按钮——他远在近 6000 英里之外，通过从地球另一端入侵这台机器人，来展示 Yarbo 割草机器人存在的巨大安全漏洞。而我做出了一个值得商榷的决定：躺在割草机的行进路线上，看看发现这些漏洞的安全研究员 Makris 到底能把这台机器操纵到什么地步。

By the time the mower touches my body, Makris has already proven his point: the $5,000 robot lawn mowers from Yarbo have such ridiculous security vulnerabilities that a foreign hacker can easily hijack a bladed gadget in the United States. And not just one. Thousands upon thousands of bladed Chinese robots at his beck and call. Every Yarbo robot around the world, whether configured to churn through grass, snow, or weeds, is theoretically reporting to him now. 当割草机触碰到我的身体时，Makris 已经证明了他的观点：Yarbo 售价 5000 美元的割草机器人存在极其荒谬的安全漏洞，以至于外国黑客可以轻易劫持美国境内的带刃设备。而且不仅仅是一台。成千上万台带刃的中国机器人正听候他的差遣。全球每一台 Yarbo 机器人，无论是用于除草、除雪还是清理杂草，理论上现在都受他控制。

“I can do whatever I want with all the bots,” Makris tells The Verge. “It’s completely unsecured.” “我可以对所有这些机器人为所欲为，”Makris 告诉《The Verge》，“它们完全没有任何安全防护。”

And believe it or not, remote control is just the tip of the iceberg. 信不信由你，远程控制仅仅是冰山一角。

Like Sammy Azdoufal, who made headlines worldwide when The Verge exclusively revealed how he made thousands of DJI Romo robot vacuum cleaners identify themselves and begin following his commands, Makris discovered that Yarbo’s robots do much the same thing. If you have access to one robot, you have access to them all. 就像 Sammy Azdoufal 那样——当《The Verge》独家披露他如何让数千台大疆（DJI）Romo 扫地机器人自报家门并听从他的指令时，他曾轰动全球——Makris 发现 Yarbo 的机器人也存在类似的情况。只要你能访问其中一台，你就拥有了访问所有机器人的权限。

But these robots have blades — and hackers can use the robot’s built-in commands to override its safety features. Even if you press that big red emergency stop button on the mower itself, a hacker can send another command to unlock it, Makris says. 但这些机器人带有刀片——黑客可以利用机器人内置的指令覆盖其安全功能。Makris 表示，即使你按下了割草机上那个红色的大型紧急停止按钮，黑客也可以发送另一条指令将其解锁。

And because the Yarbo is a full Linux computer, one with its own backdoor and where the root password is always the same, hackers could remotely reprogram it to do anything: spin up the blades, probe your home network, turn your robot into part of a botnet to harass targets on the internet. 由于 Yarbo 本质上是一台完整的 Linux 计算机，且自带后门，且所有设备的 root 密码都相同，黑客可以远程对其进行重新编程，执行任何操作：启动刀片、探测你的家庭网络，或者将你的机器人变成僵尸网络的一部分，去攻击互联网上的目标。

Founded in 2015 as a robot snowblower company, Yarbo sells all-in-one yard robots with modular attachments that let it become a lawn mower, leaf blower, snowblower, trimmer, and edger. Each attachment is pushed or pulled by the same “core” robot that uses tank treads to drive and climb — which is why all of them may be vulnerable to hackers. Yarbo 成立于 2015 年，最初是一家除雪机器人公司。它销售的一体化庭院机器人配有模块化附件，使其能够变身为割草机、吹叶机、除雪机、修剪机和切边机。每个附件都由同一个使用履带驱动和爬坡的“核心”机器人驱动——这就是为什么所有这些设备都可能受到黑客攻击的原因。

Makris begins by showing me a vibe-coded map with the locations of ostensibly every Yarbo robot in the United States and Europe, around 5,400 devices. (He’s tracking over 11,000 of them worldwide.) Then, as I watch his video stream, he presses a button to take control of a robot in upstate New York. Makris 首先向我展示了一张带有颜色编码的地图，上面标出了美国和欧洲几乎每一台 Yarbo 机器人的位置，大约有 5400 台。（他在全球范围内追踪着超过 11000 台设备。）随后，在我观看他的视频流时，他按下了一个按钮，接管了纽约州北部的一台机器人。

This robot was already mowing a field, a white house visible in the background. But we interrupt its regularly scheduled programming. Makris drags a little onscreen joystick with his mouse, and I watch as the robot’s camera turns to reflect each of those moves. There’s little to keep him from driving anywhere he likes, spying on this family, figuring out when they come and go. 这台机器人当时正在草地上割草，背景中可以看到一栋白色的房子。但我们打断了它的预定程序。Makris 用鼠标拖动屏幕上的一个小摇杆，我看着机器人的摄像头随着他的每一个动作转动。几乎没有什么能阻止他驾驶机器人去任何地方，监视这家人，并摸清他们的作息规律。

Similarly, there might be nothing keeping a bad actor from spying on, say, troop movements near a nuclear power plant. Makris has already identified 12 different Yarbo robots within 3 kilometers of a major power plant — one of which is seemingly registered to a nuclear security analyst. 同样，可能也没有什么能阻止不法分子监视核电站附近的部队调动。Makris 已经在某大型核电站 3 公里范围内识别出了 12 台不同的 Yarbo 机器人——其中一台似乎还是注册在一位核安全分析师名下的。

Then, Makris makes my jaw drop yet again: He shows me he can pull owners’ email addresses, their Wi-Fi passwords, and the exact GPS coordinates of their houses. When I look up an address on Google Maps, I see a satellite view of what appears to be the same property we saw through the robot’s cameras. 接着，Makris 再次让我目瞪口呆：他向我展示了如何获取机主的电子邮件地址、Wi-Fi 密码以及他们房屋的精确 GPS 坐标。当我在谷歌地图上搜索其中一个地址时，我看到了卫星视图，这看起来正是我们通过机器人摄像头所看到的那处房产。