Feature

Yarbo robot lawn mowers exposed in remote hacking demonstration

A security researcher has demonstrated how serious vulnerabilities in Yarbo’s robot lawn mowers could allow a remote attacker to take control of the machines, access sensitive user data and potentially compromise home networks.

The flaws were uncovered by security researcher Andreas Makris and reported by The Verge, which documented a dramatic demonstration involving a 200-pound Yarbo robot mower being controlled from nearly 6,000 miles away. The test showed that the risk was not limited to digital privacy, but extended into the physical world, where connected devices with motors, cameras and blades can become direct safety hazards.

Yarbo sells modular outdoor robots designed to operate as lawn mowers, snowblowers, leaf blowers, trimmers and edgers, using a shared core robot unit. The company was founded in 2015 as a robot snowblower business and markets its devices as high-end, all-in-one yard maintenance machines.

According to Makris’ findings, the security issues potentially affected more than 11,000 Yarbo robots globally. He was reportedly able to map the locations of thousands of devices, access camera feeds, control robot movement and retrieve owner information including email addresses, GPS coordinates and Wi-Fi passwords.

The vulnerabilities were particularly serious because the robots reportedly shared hardcoded root credentials and used remote access mechanisms that owners could not disable. Makris said that even if an owner changed a root password, firmware updates could reset it back to the default, allowing access to be regained.

A public disclosure listed multiple issues, including persistent undocumented backdoor access, hardcoded credentials and open MQTT orchestration without proper access controls in Yarbo robot firmware version 2.3.9.

The physical nature of the product heightened concern. Unlike a hacked camera or smart speaker, a robot mower can move around a property, record surroundings and operate near people, pets and homes. The machines are heavy, mobile and fitted with attachments designed for powerful outdoor work. While the demonstration described by The Verge was controlled and the blades were not spinning, it underscored how insecure connected devices can create risks beyond ordinary data theft.

The case also raises concerns about sensitive locations. Makris reportedly identified Yarbo devices near critical infrastructure, including robots within several kilometres of a major power plant. If an attacker could access camera feeds or location data from devices near sensitive sites, even consumer yard equipment could become a surveillance risk.

Yarbo initially downplayed concerns around remote diagnostic access, but later acknowledged problems and outlined remediation steps. In a public response after the report, the company said it would temporarily shut down remote access, reset root passwords, strengthen backend permissions and move away from shared credentials toward device-level credentials. It also said it planned to introduce more transparent and user-authorised remote diagnostic access.

The company has also said it is launching a dedicated security response centre, considering a bug bounty program and preparing over-the-air updates to address the issues. Yarbo co-founder Kenneth Kohlmann took responsibility in the company’s public response and said the company would work toward stronger long-term security.

However, concerns remain because Yarbo’s response reportedly stops short of eliminating remote access entirely. Security researchers have warned that remote diagnostic tools can be useful for customer support, but only if they are transparent, tightly controlled, revocable and properly audited.

The Yarbo case is the latest example of the growing risks surrounding Internet of Things devices. Connected gadgets are increasingly entering homes with cameras, microphones, sensors, motors and cloud access, but many are built with security practices that lag behind their physical capabilities.

For consumers, the incident is a reminder that convenience devices should not automatically be trusted. Smart appliances, robot vacuums, cameras, doorbells, lawn mowers and other connected products may collect sensitive information and interact with the physical environment. Poorly secured devices can expose private networks, location data and household routines.

For manufacturers, the lesson is more direct: security cannot be treated as an afterthought, especially when a device can move, see, record or cause physical harm. Hardcoded credentials, undocumented backdoors and non-revocable remote access are not minor design flaws. In a connected product with real-world force, they can become safety issues.

The incident also shows how the boundary between cybersecurity and physical safety is disappearing. A hacked robot mower is not only a compromised computer. It is a compromised machine in someone’s yard.

Photo Credit: DepositPhotos.com

Leave a Reply

Your email address will not be published. Required fields are marked *