SouthernWorldwide.com – A recent security report has highlighted significant vulnerabilities in Yarbo robots, including autonomous lawn mowers and snow blowers, which could potentially expose homeowners’ networks to unauthorized access.
Security researcher Andreas Makris found that these devices contained flaws allowing for remote access, live camera viewing, and the theft of Wi-Fi credentials. The report indicates that approximately 6,000 robots are affected by these security issues.
Yarbo has acknowledged the accuracy of the core technical findings and has begun implementing security fixes. However, this incident raises crucial questions about the level of access smart outdoor devices should have within a home’s network.
Makris’s report details that Yarbo robots are equipped with a persistent remote access setup utilizing an internet tunnel. The devices also feature a hardcoded root password shared across all units and a remote connection method tied to the robot’s serial number.
Root access grants deep control over a device, akin to administrator-level privileges. The report also notes that the remote tunnel operates automatically and can restart itself if stopped, making it difficult for users to disable without a simple in-app switch.
While smart devices often require internet connectivity for app controls, updates, and support, Makris argues that Yarbo’s setup creates an unacceptably high risk. He claims remote access is integrated into every robot by default, rather than being an opt-in feature for assistance.
An attacker with the necessary information could potentially gain remote control of a robot, access its internal functions, and use it as an entry point into the owner’s home network. This means a seemingly innocuous lawn mower could pose a significant security threat.
The report highlights that Yarbo robots can feature multiple camera feeds. If an attacker achieves root access, they could remotely view the robot’s surroundings, potentially capturing footage of driveways, backyards, or other private outdoor areas.
Furthermore, an attacker with root access could retrieve saved Wi-Fi credentials from the robot’s system. This is particularly concerning as most households use a single Wi-Fi network for all connected devices, making stolen credentials a gateway to broader network compromise.
Following the report’s publication, Yarbo responded through its Security Center, admitting that the identified vulnerabilities in its remote diagnostic, credential management, and data-handling systems were serious. Yarbo co-founder Kenneth Kohlmann confirmed the accuracy of the technical findings.
Read more : Dinosaur Fossils Found During National Park Parking Lot Construction
Yarbo stated that the issues stemmed from historical design choices in certain system components and that some legacy support tools lacked sufficient user visibility and control. The company also conceded that some authentication and credential systems did not meet their current security standards.
In response to the vulnerabilities, Yarbo has taken several remediation steps. This includes retiring historical fleet-level root credentials, revoking shared remote-access credentials, and disabling associated server-side connection paths.
The company also mentioned that updated versions of its mobile app no longer contain static credentials or embedded access mechanisms that could directly authenticate with backend services. Yarbo has removed reporting scripts, legacy dependencies, and non-essential network configurations.
However, Yarbo indicated that further work is ongoing. The company is in the process of rebuilding its credential management system to replace shared credentials with individually scoped, per-device credentials that support independent rotation and revocation.
The report also points to connections involving Yarbo’s parent company, Hanyang Tech, and platforms like ByteDance Feishu and Tencent TDMQ, as well as Chinese DNS resolvers. Makris noted that some robot telemetry data can be sent to ByteDance’s Feishu platform.
Yarbo has since confirmed the removal of reporting scripts, legacy dependencies, and non-essential network configurations that were no longer serving a necessary function. Historical servers and legacy access channels are also being phased out.
A primary concern remains transparency, with owners needing to understand where their device data is sent, who can access it, and whether these connections are essential for the device’s operation.
For Yarbo robot owners, the report serves as a stark reminder to treat these devices with the same caution as any other connected device with cameras and network access. Yarbo is pushing security updates automatically, so owners are advised to connect their robots to receive these updates.
It is recommended that owners consider moving their Yarbo robot to a guest network or an isolated smart-device network to limit its access to the main home network.
While users may not have full control over the robot’s internal workings, they can take practical steps to restrict its reach within their home network.
It is advisable not to keep the robot mower on the same network as sensitive devices like laptops, phones, or security cameras. Utilizing a guest network or a separate smart-device network, if supported by the router, is a recommended practice.
If the robot has already connected to the main Wi-Fi, changing the Wi-Fi password to a strong, unique one and reconnecting only trusted devices is a crucial step. Using a password manager is also advised.
Users should regularly review the list of connected devices on their router and remove any unfamiliar devices.
Activating guest device isolation features on routers can prevent the robot from communicating with other devices on the network.
Owners should inquire about the extent of remote diagnostic access, whether credentials are now unique per robot, and if a true off-switch for remote diagnostics will be provided.
Yarbo states that security updates are delivered automatically when devices connect to the internet. Connecting the robot through a guest or isolated network ensures it receives the update without granting access to primary devices.
The report serves as a critical reminder that convenience offered by smart devices can come with hidden access risks. A robot mower, while useful for yard work, can function as a connected computer with camera and location data capabilities, potentially compromising a home network.
The most significant concern is control, with owners needing clarity on who can access their devices, when remote access is active, and if it can be disabled. Trusting a “black box” device on one’s Wi-Fi without full transparency is not advisable.
Yarbo robot owners are urged to isolate their devices from the main network and seek clear answers from the company. When considering any smart yard device, security should be a primary consideration, even before features like battery life.
The question remains: would you allow a smart yard robot onto your Wi-Fi if the company could not clearly explain who can access it and when? This is a crucial consideration for consumers in the age of increasingly connected home devices.
