Yarbo Disables Remote Access After Hackers Expose Lawn Mower Security Flaw

Yarbo has shut down the remote access feature on its fleet of robotic lawn mowers after security researcher Andreas Makris showed he could take control of the devices from nearly 6,000 miles away. The vulnerability affects around 11,000 Yarbo robots worldwide—each costing $5,000—and reveals a chain of security failures that let an attacker completely commandeer the machines.

The problem lies in how Yarbo built its remote access system. Every robot shipped from the factory with the same root password (think of this as a master key to the entire device), and that password was stored in easy-to-find locations on the device's filesystem. Because the robots connect to the internet through both Wi-Fi and cellular networks, an attacker who discovered this password could access them from anywhere in the world.

Makris's research showed that once inside a robot, an attacker could access the onboard cameras used for navigation, bypass the emergency stop button, and even command the blades to activate remotely. Yarbo confirmed his findings and issued a public apology, acknowledging that these were not one-off mistakes but rather gaps in how the company designed security from the start.

What Yarbo's Robots Actually Do

Yarbo's platform is modular—the same base unit can be equipped with different attachments to mow lawns, blow snow, or clear leaves. The lawn mower version has dual cutting discs that can handle properties up to 6 acres and slopes as steep as 35 degrees, with cutting heights adjustable from 1.2 to 4.0 inches.

Each robot weighs about 200 pounds and runs a full Linux computer (the core software powering many phones, servers, and IoT devices) with onboard cameras, wireless radios, and integration with a smartphone app. The robots can handle up to 150 separate mowing zones and use GPS to navigate autonomously across large yards. In winter, the snow blower attachment can throw snow up to 40 feet across a 21-inch path.

All this functionality means the robots need constant internet connections through Wi-Fi and cellular modems so owners can monitor and control them remotely via a mobile app. But more connectivity also means more potential doors that a hacker could try to open.

The Core Security Problem

Yarbo took a shortcut with how it handles remote maintenance and support. The company embedded the same master password—the "root" credentials that control everything on a Linux system—into every single robot it sold. This made troubleshooting easier for Yarbo's support team, but it meant that once a hacker discovered the password, they held the keys to 11,000 devices.

With root access, an attacker doesn't just control the mower itself. They can also snoop on a home's Wi-Fi network, install hidden software, or even rope the robot into a botnet—a network of hacked devices used to carry out large-scale attacks elsewhere on the internet.

The fact that attackers could disable the emergency stop button is particularly concerning. That button exists to prevent injury or damage if something goes wrong. Combine that with the ability to remotely activate the cutting blades, and a compromised robot becomes a potential safety hazard in someone's yard.

What Yarbo Is Doing Now

Yarbo has temporarily disabled remote access across its entire robot fleet while its engineers work on fixes. The company has promised to add logging systems so it can track when the remote backdoor is being used, though it hasn't said whether it will completely eliminate hardcoded passwords or simply change them periodically.

For now, Yarbo owners have lost access to smartphone app features and cloud-based monitoring. The company hasn't provided a clear timeline for when these capabilities will return.

The broader context here is that this kind of vulnerability has appeared before in consumer robotics—early robotic vacuums, smart security cameras, and other IoT devices have fallen into the same trap of shipping with weak or identical passwords. It's a pattern I've watched unfold over the past decade: companies build powerful, internet-connected devices without thinking hard enough about security from the beginning.

Yarbo's $5,000 price point puts these robots in the premium market, where buyers reasonably expect enterprise-grade security measures. The discovery that the company didn't implement the basics—unique credentials for each device—raises questions about the gap between what customers assume they're getting and what they actually have.

The temporary loss of remote features also creates a practical problem worth noting: owners who depend on automated snow clearing in winter may need to find other solutions while Yarbo works on fixes. And unlike smartphone makers or software companies, which have long experience managing security problems, hardware manufacturers often lack the infrastructure to push out security updates quickly or communicate clearly with users when something goes wrong.

Looking at the bigger picture, the Yarbo incident points to a real challenge as robotic devices become more common in homes and yards. These machines operate without direct human supervision, have access to private property, and sit on residential networks. When they're designed without strong security practices in mind, they can become vectors for attacks—both against the homes they're placed in and potentially beyond.

The scale matters too. Eleven thousand devices is substantial for a specialized product category. While that's tiny compared to a smartphone vulnerability affecting millions, the physical nature of lawn mowers—they move around, they have blades, they operate unsupervised—creates a different kind of risk that we don't yet fully understand how to manage.

As robotic assistants become more prevalent in residential settings, the security approaches companies adopt today will shape whether consumers trust these devices in the future and how regulators think about them. This incident suggests the industry has more work to do.