- Thousands of Yarbo lawnmowers exposed identical passwords across homes worldwide
- Researchers remotely hijacked a 200-pound mower outside a family residence
- GPS locations and WiFi passwords leaked from vulnerable robotic lawnmowers
Security researcher Andreas Makris has uncovered a serious flaw in the Yarbo robotic lawnmowers that allowed remote access using identical default administrator credentials across thousands of units.
These autonomous machines, equipped with cameras, GPS, and AI mapping, operate worldwide in over 30 countries without constant human oversight.
Makris demonstrated the vulnerability by accessing owner email addresses, Wi-Fi passwords, exact GPS locations, and plotted a live map showing more than 11,000 devices globally.
Linux Devices waiting to be weaponised
Yarbo mowers run on Linux systems connected to the internet, functioning much like exposed computers.
Hackers could theoretically activate blades remotely, scan nearby networks, or assemble the devices into a botnet for larger attacks.
Makris noted that units operating near critical sites, such as a major power plant, amplifies potential risks to infrastructure.
The danger of this vulnerability was showcased during a live test for The Verge, seizing control of a 200-pound mower operating outside a family home in upstate New York.
“The robot’s camera turns to reflect each of those moves,” the report noted, warning: “There’s little to keep him from driving anywhere he likes, spying on this family.”
Reporter Sean Hollister lay in the mower’s path from Germany, roughly 6,000 miles away, to test Yarbo’s prior security claims.
The experiment exposed how easily an outsider could command the device, overriding local controls without detection.
Unfortunately, regular firmware updates failed to resolve the core issue, as they reportedly reset devices to the same weak default passwords.
Simple password changes alone cannot address the deeper architectural problems in these networked robots.
Made in China, headquartered in New York
Yarbo operates publicly from Ronkonkoma, New York, but traces back to Hanyang Tech in Shenzhen, China, a dual identity which has sparked scrutiny amid the security lapse affecting devices sold internationally.
The revelation prompted Makris to release his findings, including official CVE disclosures, before Yarbo fully patched the issues.
Critics question whether geographic ties influence the persistence of manufacturer access features in consumer hardware.
Yarbo co-founder Kenneth Kohlmann acknowledged the flaws in a statement accessible mainly via VPN outside the US.
The company disabled remote diagnostic tunnels, reset root passwords, and restricted unauthenticated entry points.
They also shifted from shared passwords to device-specific credentials and promised an allowlist-based diagnostic model with audits.
However, neither Makris nor Hollister found these measures convincing. The company stopped short of removing manufacturer remote access entirely, instead promising tighter controls and audit logging.
“It controversially retains an internal backdoor,” Hollister said in an assessment of the measures taken so far.
That decision has fuelled wider concerns about smart devices with persistent backdoor‑style access whose manufacturer has refused to close hidden access points.
Via Cybernews
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.
