Kamal Ghorui
A German security researcher has exposed a serious set of vulnerabilities in Yarbo’s internet-connected robot lawnmowers, showing that the machines could be remotely accessed and controlled from anywhere in the world. In a live demonstration reported by The Verge, Andreas Makris was able to steer a Yarbo unit from nearly 6,000 miles away, with the reporter even lying in the mower’s path to show how dangerous the flaw could be. The investigation said the problem affected more than 11,000 devices globally and raised alarms not just about privacy, but about physical safety, because the robots carry spinning blades and can operate autonomously in people’s yards.
How hackers could remotely control thousands of robot lawnmowers
Makris’ findings centred on a cluster of weaknesses in Yarbo’s remote diagnostic, credential management, and data-handling systems. The researcher found that the robots shared the same hardcoded root password, while the firmware also included a backdoor that could be used for remote access. Reports said the devices could be made to spin up their blades, probe a home network, and potentially be folded into a botnet.The risk was not limited to digital access. Makris could reportedly pull owners’ email addresses, Wi-Fi passwords, and the exact GPS coordinates of their homes from the system, while also accessing camera feeds. That meant a compromised mower could become both a surveillance device and a physical hazard. A live demonstration showed a remotely controlled robot moving towards a reporter, underscoring how an ordinary yard machine could become dangerous if the security flaws were exploited.
The scale of the exposure
Makris was reportedly tracking more than 11,000 Yarbo devices worldwide, with around 5,400 mapped across the United States and Europe at the time of the demonstration. Reports also noted that the company sells modular yard robots capable of operating as a lawn mower, leaf blower, snowblower, trimmer, or edger, all powered by the same core machine. That architecture meant the vulnerabilities could potentially affect multiple products across Yarbo’s lineup.
The CVEs explain the technical risks
The disclosure was backed by multiple officially tracked security vulnerabilities. According to the US National Vulnerability Database, one flaw involved a hidden backdoor inside Yarbo’s firmware that could allow remote access to the robot without proper authentication. Researchers said the backdoor could not be disabled through normal user settings and would remain active even after factory resets or software updates.Another vulnerability involved the mower’s MQTT communication system, which reportedly allowed anonymous connections without proper security restrictions. In simple terms, someone on the same network could potentially intercept sensitive data or send commands directly to the robot.A separate security advisory also revealed that Yarbo devices reportedly used the same built-in administrator username and password across all machines. Researchers said users could not permanently change or remove these credentials, meaning anyone who discovered them could potentially gain deep access to the mower’s internal systems and remote management controls.
How Yarbo responded
Yarbo later acknowledged the problem in an official update and said the core technical findings were accurate. The company said it had temporarily cut off remote access and was working on remediation, including stronger access controls, improved authentication, greater user visibility over remote diagnostic features, and the reduction of unnecessary legacy support mechanisms. The Verge’s follow-up report said Yarbo had also apologised and created a dedicated security response centre.
What users of connected devices should take from this
The incident shows why owners should be cautious about devices that depend on cloud access and remote diagnostics. For robot lawnmowers and other IoT products, the safest approach is to keep firmware updated, review remote-access settings, isolate devices on separate home networks where possible, and pay attention to vendor security disclosures. In Yarbo’s case, the official response suggests that some remediation is underway, but the disclosure itself shows how quickly convenience can turn into exposure when security is bolted on too late.
