- Thousands of Yarbo lawn mowers exposed identical passwords in homes around the world
- Researchers remotely hijacked a 200-pound lawn mower in front of a family home
- GPS Locations and WiFi Passwords Leaked by Vulnerable Robot Lawn Mowers
Security researcher Andreas Makris discovered a serious flaw in Yarbo robot lawn mowers that allowed remote access using identical default administrator credentials across thousands of units.
These autonomous machines, equipped with cameras, GPS and AI mapping, operate worldwide in more than 30 countries without constant human monitoring.
Makris demonstrated the vulnerability by accessing owners’ email addresses, Wi-Fi passwords, exact GPS locations, and plotting a live map showing more than 11,000 devices around the world.
Linux devices waiting to be armed
Yarbo mowers run on Internet-connected Linux systems, functioning much like exposed computers.
Hackers could theoretically activate the blades remotely, scan nearby networks, or assemble the devices into a botnet for larger attacks.
Makris noted that units operating near critical sites, such as a large power plant, amplify potential risks to infrastructure.
The danger of this vulnerability was highlighted during a live test for The Verge, taking control of a 200-pound lawn mower operating outside a family home in upstate New York.
“The robot’s camera rotates to reflect each of these movements,” the report notes, warning: “Nothing stops it from driving wherever it wants and spying on this family.”
Reporter Sean Hollister lay in the mower’s path from Germany, about 6,000 miles away, to test Yarbo’s earlier safety claims.
The experiment showed how easily an outsider could command the device, overriding local controls without detection.
Unfortunately, regular firmware updates failed to fix the main problem, as they would have reset devices with the same weak default passwords.
Simple password changes alone cannot resolve the deeper architectural problems of these networked bots.
Made in China, headquartered in New York
Yarbo operates publicly out of Ronkonkoma, New York, but traces its roots back to Hanyang Tech in Shenzhen, China, a dual identity that has drawn scrutiny amid a security breach affecting devices sold internationally.
This revelation prompted Makris to publish his findings, including official CVE disclosures, before Yarbo fully fixed the issues.
Critics question whether geographic ties influence the persistence of manufacturers’ access features in consumer hardware.
Yarbo co-founder Kenneth Kohlmann acknowledged the flaws in a statement accessible primarily via VPN outside the United States.
The company disabled remote diagnostic tunnels, reset root passwords, and restricted unauthenticated entry points.
They also moved from shared passwords to device-specific credentials and promised a whitelist-based diagnostic model with audits.
However, neither Makris nor Hollister found these measures convincing. The company did not remove remote access from manufacturers entirely, but instead promised tighter controls and audit logging.
“There remains a controversial internal backdoor,” Hollister said in an assessment of the steps taken so far.
The move fueled broader concerns about smart devices that have persistent backdoor-style access and whose manufacturer has refused to close hidden access points.
Via Cybernews
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds.
