Why Your Robot Lawn Mower Could Be Remotely Hijacked

Security researchers have found serious weaknesses in Yarbo's $5,000 autonomous lawn mowers. These flaws allow attackers from anywhere in the world to take control of the 200-pound robots, access personal information stored on them, and extract homeowners' Wi-Fi passwords. The vulnerabilities put both physical safety and home network security at risk.

The Same Password Problem

Every Yarbo mower ships with the same hardcoded root password—think of it like a master key that works on all doors of the same model. Once an attacker cracks this one password, they can unlock every Yarbo unit globally. A security researcher named Makris proved this by remotely controlling a Yarbo mower from nearly 6,000 miles away. Distance doesn't matter when the vulnerability sits in the mower's software.

The damage extends further than just remote steering. Once inside, attackers can watch live camera feeds, harvest the homeowner's email address and Wi-Fi credentials, and pinpoint the exact home location through GPS data stored on the robot. Yarbo initially claimed the robot's diagnostic tools weren't accessible to outsiders, but researchers showed they were wide open.

A Robot Running Over a Reporter

The real-world danger became visible during a live demonstration. A reporter and security researcher hijacked a Yarbo mower and nearly ran it over the journalist to show how serious the threat is. A 200-pound machine with spinning blades, under someone else's control, turns a software bug into a physical hazard.

The hijacked robots also serve as a gateway into your home network. An attacker could reprogram a compromised mower to probe other connected devices—your smart speakers, cameras, or thermostats—or use it as part of a botnet, a collection of hacked machines used to launch large-scale cyberattacks.

This Pattern Repeats Across Robot Makers

Yarbo isn't alone. Other lawn mower companies have had similar problems. Researchers recently used AI tools to find vulnerabilities in a Hookii autonomous mower and uncovered security flaws affecting over 267 connected devices—something that would have taken months to find by hand just a few years ago.

ECOVACS, another major robot lawn mower brand, has faced parallel security issues. Their Goat G1 mower stored anti-theft PIN codes in plain text where anyone could read them. A thief who steals the mower could simply copy that PIN and disable the anti-theft feature. Researchers at Def Con 2024 demonstrated how they could hijack home vacuums and lawn mowers using malicious Bluetooth signals. ECOVACS initially dismissed the flaws as unlikely in "typical user environments," but the researchers showed remote exploitation was entirely possible.

How Companies Are Responding

Yarbo says it is working on a fix for at least one of the vulnerabilities. This is a familiar pattern: security problems get patched only after researchers publicly disclose them and force the company's hand. The traditional approach of fixing problems after launch doesn't work well for machines that can physically harm people.

In contrast, John Deere operates a dedicated Digital Security Center and runs cybersecurity programs that include recruiting college students to study security. This effort reflects what happens when a company has been shipping connected equipment into mission-critical environments for decades—they learned the hard way that security must be built in from the start, not bolted on later.

Having reported on technology for over 30 years, I have watched this cycle repeat: new consumer technology arrives, security gets overlooked during the rush to market, and vulnerabilities surface months or years later. What has changed is the speed. AI-powered vulnerability research now compresses what used to take months into hours or days.

What This Means for the Robotics Industry

The Yarbo case points to deeper problems in how some robotics companies build autonomous machines. The shared root password decision suggests engineering teams prioritized getting products to market quickly over following basic security principles. When all devices run the same master password, breaking into one machine scales to breaking into the entire fleet instantly.

The data theft aspect adds another risk layer. Beyond the danger of a hijacked mower running loose in your yard, stolen Wi-Fi credentials and home location data create security problems that extend well beyond the mower itself. A homeowner would need to change network passwords and check whether those same credentials were used elsewhere.

As robot mowers and vacuums become more common in homes, the potential for coordinated attacks grows. A hacker could theoretically commandeer hundreds or thousands of mowers at once. Earlier generations of consumer technology didn't raise these stakes because they couldn't move, couldn't access your network, or didn't have the same design flaws. Autonomous machines with blades and network access change the equation.

The industry needs to treat security as part of the design, not as something to patch later. When software bugs can translate into physical harm, the traditional approach of updating devices after they ship falls short. This is especially true for autonomous machines running in people's homes, where the stakes are highest.