Here is Yarbo’s promise to fix the robot mower that ran me over
Here is Yarbo’s promise to fix the robot mower that ran me over
以下是 Yarbo 对“机器人割草机撞人事件”的修复承诺
A detailed pledge from the robot lawn mower company. 这家机器人割草机公司发布了一份详细的承诺书。
Yesterday, I told you how a hacker ran me over with a robot lawn mower. We explained how thousands of these bladed Chinese robots, made by Yarbo, could be hijacked with ease — exposing people’s GPS coordinates, Wi-Fi passwords, email addresses, and more to any casual hacker who comes along. 昨天,我向大家讲述了一名黑客如何操控机器人割草机将我撞倒。我们解释了数千台由 Yarbo 制造的带刀片中国产机器人是如何被轻易劫持的——这导致用户的 GPS 坐标、Wi-Fi 密码、电子邮件地址等信息暴露给任何随意的黑客。
Today, Yarbo has issued a thorough 1,200-word response that you can read in full below. The company is confirming the security researcher’s findings, apologizing, and providing a detailed plan to tackle many of its self-created security issues head-on. Yarbo writes that it’s already temporarily cut off remote access and is addressing many of its most head-smacking issues, like how root passwords were the same for every single robot and were left in easy places for hackers to find. 今天,Yarbo 发布了一份详尽的 1200 字回应,全文见下文。该公司确认了安全研究人员的发现,表达了歉意,并提供了一份详细计划,旨在正面解决其自身造成的诸多安全问题。Yarbo 表示,他们已经暂时切断了远程访问,并正在处理许多令人瞠目结舌的问题,例如所有机器人的 root 密码完全相同,且被存放在黑客极易发现的地方。
“In the future, each device will use its own independent credentials to prevent one affected device from impacting the entire fleet,” Yarbo writes. The company says its first wave of security updates should roll out within one week. “未来,每台设备都将使用独立的凭据,以防止单台受影响的设备波及整个机群,”Yarbo 写道。该公司表示,首批安全更新预计将在未来一周内推出。
Importantly, though, Yarbo is not yet committing to remove the single most troubling thing about these robots. The company writes that it will still have a remote backdoor into Yarbo’s robots, only now one that is “limited to authorized internal company personnel, may only be used after user authorization has been obtained, and will be gradually brought under audit logging.” 但重要的是,Yarbo 尚未承诺移除这些机器人身上最令人担忧的问题。该公司写道,他们仍将保留一个通往 Yarbo 机器人的远程后门,只是现在该后门将“仅限于公司内部授权人员使用,且必须在获得用户授权后方可使用,并会逐步纳入审计日志管理”。
To be clear, Yarbo already previously claimed that its remote access was only available to authorized employees; our story proved that was not true. But giving the company benefit of the doubt: why not remove the tunnel entirely, or make it an opt-in installation? Why do Yarbo’s customers not get to decide whether their robots have a persistent backdoor? I’ve asked the company those exact questions, and we’ll update with its answer. 需要明确的是,Yarbo 此前曾声称其远程访问仅限于授权员工;但我们的报道证明事实并非如此。不过,姑且给该公司一点信任:为什么不彻底移除这个通道,或者将其改为可选安装?为什么 Yarbo 的客户不能决定自己的机器人是否应该拥有一个永久后门?我已经向该公司提出了这些问题,一旦收到回复,我们将进行更新。
Yarbo’s statement also tries to suggest that the vulnerabilities we’ve seen are because of “historical” or “legacy” services, implying that perhaps some of the company’s robots were more secure. We’ve asked Yarbo what percent of its robots are on those historical services as opposed to current ones. Yarbo 的声明还试图暗示我们所发现的漏洞是由于“历史”或“遗留”服务造成的,暗示该公司可能仍有部分机器人是更安全的。我们已询问 Yarbo,其机器人中有多少比例仍在使用这些历史服务,而非当前服务。
Security researcher Andreas Makris, who discovered the vulnerabilities, says he hasn’t yet been able to check whether he can still access them after Yarbo’s changes. It sounds like the company is taking him seriously, now, though. “Yarbo has initiated direct communication with me and has taken the positive step of establishing a dedicated security response center. We are currently in discussions regarding the remediation process, and they have assured me that these fixes are their highest priority,” he says. 发现这些漏洞的安全研究员 Andreas Makris 表示,他尚未能核实 Yarbo 进行更改后,他是否仍能访问这些设备。不过,听起来该公司现在已经开始认真对待他的意见了。“Yarbo 已经与我建立了直接沟通,并采取了积极措施,成立了一个专门的安全响应中心。我们目前正在讨论修复流程,他们向我保证,这些修复工作是他们的重中之重,”他说。
Here is Yarbo’s full update to customers: 以下是 Yarbo 给客户的完整更新声明:
I’m writing this directly because the issues raised in the recent security report deserve a direct response, not a corporate one. 我之所以直接写下这些,是因为近期安全报告中提出的问题值得一个直接的回应,而不是官僚式的公关辞令。
On May 7, 2026, security researcher Andreas Makris published a detailed report identifying serious vulnerabilities in Yarbo’s remote diagnostic, credential management, and data-handling systems. The core technical findings are accurate. I would like to thank Mr. Andreas Makris for his work in identifying these issues and for his persistence in bringing them to our attention. I also recognize that our initial response did not adequately reflect the seriousness of the issues he identified. As co-founder, I’m accountable for what shipped on our products, and I’m accountable for the response. 2026 年 5 月 7 日,安全研究员 Andreas Makris 发布了一份详细报告,指出了 Yarbo 在远程诊断、凭据管理和数据处理系统中的严重漏洞。其核心技术发现是准确的。我要感谢 Andreas Makris 先生在识别这些问题方面所做的工作,以及他坚持不懈地将这些问题引起我们的注意。我也承认,我们最初的回应未能充分反映他所指出问题的严重性。作为联合创始人,我对我们产品所搭载的功能负责,也对此次回应负责。
Our engineering, product, legal, and customer support teams are working on remediation as the highest priority. What follows is my account of what was found, what we’ve already fixed, what we’re actively fixing, and what we’re committing to change in how we operate going forward. 我们的工程、产品、法律和客户支持团队正将修复工作作为最高优先级来处理。以下是我对所发现问题、我们已修复内容、正在积极修复内容,以及我们承诺在未来运营方式上做出改变的说明。
Based on our preliminary review, the issues primarily relate to historical design choices in parts of Yarbo’s remote diagnostic, access management, and data handling systems. Specifically, certain legacy support and maintenance capabilities did not provide users with sufficient visibility or control, and some authentication and credential management mechanisms did not meet the security standards we expect for today’s products. 根据我们的初步审查,这些问题主要与 Yarbo 远程诊断、访问管理和数据处理系统部分的历史设计选择有关。具体而言,某些遗留的支持和维护功能未能为用户提供足够的可见性或控制权,且部分身份验证和凭据管理机制未达到我们对当今产品所要求的安全标准。
We have also identified areas where access permissions, backend system configurations, and data flows between devices and cloud services require stronger protections and stricter controls. We recognize the seriousness of these issues and the concerns they may have caused for our customers and community. We sincerely apologize for the impact this situation has created, and we are committed to addressing these issues in a transparent and responsible manner. 我们还发现,在访问权限、后端系统配置以及设备与云服务之间的数据流方面,需要更强的保护和更严格的控制。我们认识到这些问题的严重性,以及它们可能给我们的客户和社区带来的担忧。对于这种情况造成的影响,我们深表歉意,并承诺以透明和负责任的方式解决这些问题。
We are strengthening system security by reducing legacy access paths, tightening permissions, and moving toward fully auditable device-level credentials. To make our remediation progress clear, we are separating the actions already taken from the work that is currently in progress. 我们正在通过减少遗留访问路径、收紧权限以及转向完全可审计的设备级凭据来加强系统安全性。为了使我们的修复进度清晰可见,我们将已采取的行动与当前正在进行的工作分开列出。
What We Have Already Done / What We Are Working On Now 我们已经完成的工作 / 我们目前正在进行的工作
Historical servers and legacy access channels will continue to be phased out one by one as part of this remediation process. We are also accelerating OTA security updates and additional server-side protections. The first wave of updates is expected to begin rolling out within one week. 作为此次修复过程的一部分,历史服务器和遗留访问通道将继续被逐一淘汰。我们也在加速 OTA 安全更新和额外的服务器端保护。首批更新预计将在未来一周内开始推送。
Important: A security firmware update is being pushed to all Yarbo devices. To receive this update, please connect your Yarbo to the internet. Once the update has been applied, you may return to your preferred network settings. If you prefer to keep your device offline in the meantime, you may do so without affecting your warranty or service coverage. We will notify you when the update is ready so you can connect. 重要提示:一项安全固件更新正推送至所有 Yarbo 设备。要接收此更新,请将您的 Yarbo 连接到互联网。更新应用后,您可以恢复到您偏好的网络设置。如果您在此期间更倾向于让设备保持离线状态,您可以这样做,这不会影响您的保修或服务范围。当更新准备就绪时,我们会通知您,以便您进行连接。