A German security researcher has uncovered a serious set of vulnerabilities in Yarbo’s Internet-connected robotic lawn mowers, showing that the machines can be accessed and controlled remotely from anywhere in the world.
In a live demonstration reported by The Verge, Andreas Makris was able to guide the Yarbo unit from nearly 6,000 miles away, with the reporter even lying in the mower’s path to show just how serious the malfunction was. The investigation said the problem affected more than 11,000 devices globally and raised alarms not only about privacy, but about physical safety, because the robots carry rotating blades and can operate autonomously in people’s yards.
How hackers can remotely control thousands of robotic lawnmowers
Makris’s findings focused on a range of vulnerabilities in Yarbaugh’s diagnostic, credential management, and remote data processing systems. The researcher found that the botnet shares the same encrypted root password, while the firmware also includes a backdoor that can be used for remote access. Reports said the devices could be made to spin their blades, check the home network, and potentially be folded into a botnet.
The danger was not limited to digital access. Makris can reportedly pull owners’ email addresses, Wi-Fi passwords and precise GPS coordinates of their homes from the system, while also accessing camera feeds. This means that a hacked mower could become a surveillance device and a physical danger. A live demonstration showed a remote-controlled robot moving towards a reporter, underscoring how an ordinary machine in a yard can become dangerous if security flaws are exploited.
Exposure size
Makris was reportedly tracking more than 11,000 Yarbo devices worldwide, with about 5,400 devices drawn across the US and Europe at the time of the show. Reports also indicated that the company sells modular robots capable of operating as a lawn mower, leaf blower, snow blower, strimmer or strimmer, all powered by the same basic machinery. This architecture means that vulnerabilities can affect multiple products across the Yarbo lineup.
CVEs explain technical risks
This revelation was supported by several vulnerabilities that were officially traced. According to the US National Vulnerability Database, one flaw was a hidden backdoor within Yarbo’s firmware that could allow remote access to the bot without proper authentication. The backdoor cannot be disabled through normal user settings and will remain active even after a factory reset or software updates, the researchers said.Another vulnerability relates to the mower’s MQTT communications system, which reportedly allows anonymous communications without proper security restrictions. In simple terms, someone on the same network can intercept sensitive data or send commands directly to the bot.A separate security consultant also revealed that Yarbo devices use the same administrator username and password built into all devices.
Users cannot change or permanently remove these credentials, meaning anyone who discovered them could gain deep access to the mower’s internal systems and remote management controls, the researchers said.
How did Yerbo respond?
Yarbaugh later acknowledged the issue in an official update and said the basic technical results were accurate. The company said it has temporarily cut off remote access and is working on a fix, including stronger access controls, improved authentication, increased user visibility of remote diagnostic features, and reducing unnecessary legacy support mechanisms.
The Verge’s follow-up report said Yarbaugh also apologized and created a dedicated security response center.
What users of connected devices should take from this
The incident illustrates why owners need to be careful about devices that rely on cloud access and remote diagnostics. For robotic lawnmowers and other IoT products, the safest approach is to keep firmware up to date, review remote access settings, isolate devices on separate home networks where possible, and pay attention to vendor security disclosures. In Yarbaugh’s case, the official response indicates that some reforms are underway, but the revelation itself shows how quickly comfort can turn into exposure when security is activated too late.
