Yarbo’s robot mower: a backdoor in your backyard

Yarbo smart mowers were found to have a built-in remote access loophole with identical passwords across all devices. A security researcher managed to completely hijack a mower, and could even force it to… run over its owner.

The unpatchable backdoor in Yarbo robot mowers

If machines ever rise against humans, which smart appliance do you think you should fear most? Your blender, your smart kettle, or maybe your robot vacuum cleaner? My money is on… robot lawn mowers — and I bet that after reading this post, you’ll be eyeing them suspiciously too. This story covers the recent findings of independent security researcher Andreas Makris, who was tracking six thousand Yarbo mowers when his study was published. Even worse, if he wanted to, he could take total control of any unit: boot it up, steer it remotely, snap photos with the built-in camera, and plenty more. Read on to find out exactly how he pulled it off.

What exactly are Yarbo robot mowers?

Calling a Yarbo device a mere lawn mower doesn’t really do it justice. In reality, these high-tech machines are autonomous mini-tractors built to tackle a wide range of chores. Beyond just cutting grass, they can clear snow, blow away fallen leaves, haul heavy loads, patrol your property, and more. And to handle all these different outdoor tasks, the manufacturer offers a whole suite of interchangeable attachments.

Yarbo robot lawn mower

Yarbo is a modular yard-care robot. Depending on the attachment used, it can function as a lawn mower, trimmer, snowblower, leaf blower, or utility cart. Source

None of this comes cheap: in Europe, the base robot alone will set you back over €5000, while individual attachments cost anywhere from €1500 to €2500 each. If you want the full setup, including the robot and every available module — the mower, trimmer, snow blower, leaf blower, and towing module — you’re looking at a grand total of over €12 000.

As a lawn mower, this robotic tractor boasts some seriously impressive specs. It features a cutting width of about 50cm, thanks to dual cutting discs outfitted with five blades each. A single charge covers roughly a thousand square meters. Once the battery drops to 20%, the robot drives itself back to the charging station and, once topped up, picks up right where it left off — just like a robot vacuum; except on a completely different scale: in mowing mode, this machine can maintain properties of up to 25 000 square meters, and in towing mode it can handle up to 125 000 square meters of land.

The Yarbo robot in its snow blower configuration

The Yarbo robot configured for snow removal. Source

For lawn care and landscaping, it all sounds like a dream come true. But imagine what could happen if you lost control of such a powerful machine. Well, <em>The Verge</em> reporter Sean Hollister doesn’t have to imagine. He teamed up with researcher Andreas Makris for an experiment where the researcher, sitting in Germany, remotely hijacked a Yarbo mower and ran over the journalist as he lay on his lawn back in the U.S. We’ll dive into all the details in the next sections.

The fully loaded Yarbo robot bundle

Yarbo’s complete package, featuring every attachment offered by the manufacturer: a setup that runs to well over €12 000 in Europe. Source

How the researcher hijacked the Yarbo devices

We’ve mentioned before on our blog that all smart devices are essentially computers — often on wheels. Most of the time, they run on Linux, and Yarbo’s robots are no exception. While digging into the device’s firmware, Makris discovered a built-in mechanism that maintains a constant connection with the company’s servers.

This kind of setup isn’t unusual in and of itself: most robot vacuums, smart cameras, smart speakers, and other IoT gadgets regularly ping the manufacturer’s infrastructure for things like software updates. But with Yarbo, this mechanism wasn’t just passing along telemetry data and pulling down updates; it did double duty as a monitoring and remote access tool. In theory, a manufacturer might use this kind of access for completely legitimate reasons, like remote troubleshooting or tech support.

To figure out exactly what this access could do, Makris dug into its configuration. As it turned out, the system allowed anyone to connect to the mower with top-tier administrative privileges and execute any command they wanted.

Making matters worse, the connection relied on the “root” account: the primary administrative login in Linux that has total control over the system. Since that username is standard across Linux systems, an attacker wouldn’t even have to guess a login.

And that’s where Makris hit another nasty surprise: the password for that root account was hardcoded right into the firmware, meaning it was exactly the same across every single Yarbo device. The password itself wasn’t the strongest — just nine characters — but in this scenario, that didn’t matter. The researcher didn’t need to crack or brute-force the root password because it was sitting out in the open, hardcoded into one of the system components for anyone to find.

The root password for every Yarbo robot

The root password for all Yarbo robots is hardcoded into one of the system components. Source

To be absolutely clear, this password didn’t just unlock one specific lawn mower — it opened the door to every single Yarbo robot on the planet. What’s worse, even if a tech-savvy owner managed to change their root password to something unique, the system would automatically reset it back to the default factory password during the next update.

This means that to gain remote access to any of the thousands of Yarbo robots out there, all an attacker needed was the device’s serial number and the universal root password. To make things even easier, the serial numbers follow a predictable format and serve as the robot’s ID within Yarbo’s ecosystem. The owner didn’t have to click a thing or do anything wrong for their mower to be compromised.

What an attacker can do with a Yarbo mower

Andreas Makris took a close look at exactly what this remote access allowed him to do, and he gave <em>The Verge</em> reporter Sean Hollister a live demonstration of the capabilities, which included:

  • Streaming live video from the built-in cameras — there are four in total, one on each side of the robot
  • Snapping photos with the onboard cameras
  • Harvesting user email addresses
  • Stealing passwords for the Wi-Fi networks the robots were connected to
  • Pinpointing the exact GPS coordinates of the machines
  • Controlling the robots remotely

The reporter reached out to two Yarbo owners to verify Makris’s findings. They confirmed that the researcher had successfully pinpointed their homes, and had managed to pull their actual email addresses and the passwords to the Wi-Fi networks their robots were using.

To really drive home how dangerous it is for a stranger to have remote access to such a powerful machine, Makris and Hollister decided to run the experiment mentioned earlier. Sitting in Germany, the researcher hijacked a Yarbo mower located in the U.S. that Hollister had access to. Then, while staying on the line with the journalist who was lying in the grass, Makris steered the machine straight toward him.

To be fair, the mower was in reverse and the blades weren’t spinning. Even so, the stunt was still plenty dangerous — the machine weighs over 220 pounds. At one point, the robot did actually back into Hollister, but Makris stopped the mower just in time and no one was hurt.

This experiment proved that the device completely lacks any hardwired safety features that would kick in if something got in the robot’s way. To be fair, the mower does have a physical emergency stop button that halts the machine when pressed. However, Makris points out that with root access, a hacker could easily override that command and boot the machine right back up.

But the risks don’t stop at remote hijacking stunts. According to Makris, this level of access allows an attacker to secretly spy on your property through the built-in cameras, install malicious software onto the robot’s operating system, and use the mower as a beachhead to launch further attacks on other devices connected to the same network. In the researcher’s view, the entire remote access architecture is essentially a backdoor: owners have no way to disable it, and access to the machines remains wide open no matter what they do.

How to avoid becoming a victim of… your lawn mower

Typically, cybersecurity researchers only publish their findings after the manufacturer has patched the vulnerabilities. Andreas Makris took a different route, however: he posted the details about the Yarbo backdoor online right away, without waiting for a fix. He justified his decision by pointing out that this wasn’t an accidental flaw left behind by the company; the manufacturer had deliberately and intentionally built a permanent backdoor into its robots.

Furthermore, when Makris tried to reach out to Yarbo support — the company lacked a dedicated channel for reporting vulnerabilities — he received a canned response claiming that everything was secure, and the remote connection feature wasn’t permanently enabled and could not be used by third parties. As the researcher clearly demonstrated, those claims were completely false.

Following the publication of Makris’s findings, Yarbo announced that they would fix many of the issues he’d uncovered. Specifically, the company promised to ditch the universal passwords across devices, implement stronger access control, and bring more transparency to how their remote diagnostics system operates.

As for the remote access itself, future firmware updates will make it strictly opt-in. Users will be able to decide for themselves whether they even want the feature, installing it only if and when they actually need it.

Yarbo has already rolled out two software updates for its robots, and we highly recommend that owners install them immediately. That said, it’s still not entirely clear whether all of the security flaws have actually been ironed out.

The broader takeaway for anyone with smart gadgets is that a high price tag is absolutely no guarantee of security. Even a machine that costs thousands of euros can turn out to be a potential spying tool or a wide-open gateway into your home network, rather than just a helpful chore-bot.

That’s why it pays to practice basic digital hygiene: install updates as soon as they drop; use strong, unique passwords for your home Wi-Fi networks — while saving them in a password manager — and segment your IoT devices away from computers and other systems that hold sensitive data wherever possible. Besides, the Smart Home Monitor feature in our security suite will tip you off the second an unauthorized device tries to connect to your home network.

Curious about other high-profile smart home hacks? Read these Kaspersky Official Blog posts to find out: