SouthernWorldwide.com – A recent security report has highlighted significant vulnerabilities in Yarbo robots, including autonomous lawn mowers and snow blowers, which could potentially expose homeowners’ networks to unauthorized access.
Security researcher Andreas Makris discovered that these devices harbor flaws that could allow for remote access, live camera viewing, and the theft of Wi-Fi credentials. The report indicates that approximately 6,000 robots are currently affected by these issues.
Yarbo has acknowledged the accuracy of the core technical findings and has begun implementing security fixes. However, the incident raises broader questions about the level of access smart yard devices should have within a home network.
Makris’s report detailed that Yarbo robots are equipped with a persistent remote access setup that utilizes an internet tunnel. This allows for deep control over the device, akin to administrator-level access, through a hardcoded root password shared across all units and a remote connection tied to the robot’s serial number.
The report further states that this remote tunnel operates automatically, can self-restart if stopped, and may reappear even if removed. This lack of a simple off-switch within the app is a significant concern for owners.
While smart devices often require internet connectivity for app controls, updates, and support, Makris claims Yarbo’s implementation creates an unusually high risk. The remote access appears to be a default feature, rather than an opt-in service for troubleshooting.
An attacker with the necessary information could potentially exploit this to gain remote access, access internal functions, and use the robot as an entry point into the owner’s home network. This transforms a seemingly innocuous yard tool into a potential security threat.
The report also highlights that Yarbo robots can feature multiple camera feeds. If an attacker achieves root access via the remote tunnel, they could remotely view the robot’s surroundings, potentially capturing footage of driveways, backyards, or other outdoor areas where families spend time.
Beyond visual surveillance, an attacker with root access could also extract saved Wi-Fi credentials from the robot’s system. This is particularly concerning as many households rely on a single Wi-Fi network for all their connected devices, including phones, laptops, and security systems.
Once a Wi-Fi password is compromised, attackers can attempt to access other devices on the network or exploit previously unknown vulnerabilities. This underscores the need for rigorous security scrutiny of all connected outdoor equipment, regardless of its physical location.
Following the publication of Makris’s report, Yarbo issued a response through its Security Center. The company admitted that the report identified serious vulnerabilities in its remote diagnostic, credential management, and data-handling systems.
Yarbo co-founder Kenneth Kohlmann confirmed the accuracy of the technical findings and conceded that their initial response did not adequately reflect the gravity of the issues. The company attributed the problems to historical design choices in these systems.
Yarbo stated that some legacy support tools lacked sufficient user visibility and control, and certain authentication and credential systems did not meet their current security standards.
In response, Yarbo has implemented several remediation steps. These include retiring historical fleet-level root credentials, revoking shared remote-access credentials, and disabling associated server-side connection paths.
Furthermore, updated versions of the Yarbo mobile app no longer contain static credentials or embedded access mechanisms for direct authentication against backend services. The company has also removed non-essential reporting scripts, legacy dependencies, and network configurations that were no longer necessary for product function.
However, Yarbo indicated that further work is ongoing. The company is in the process of rebuilding its credential management system to replace shared credential models with individually scoped, per-device credentials that support independent rotation and revocation.
The report also noted connections to Hanyangtech, Yarbo’s parent company, as well as ByteDance Feishu, Tencent TDMQ, and Chinese DNS resolvers. Makris pointed out that some robot telemetry data can be sent to ByteDance’s Feishu platform, and certain infrastructure choices are embedded in the firmware.
Read more : How Pneumonia Can Lead to Sepsis, According to Doctors
Yarbo reiterated its removal of unnecessary reporting scripts, legacy dependencies, and network configurations, and stated that historical servers and legacy access channels will continue to be phased out.
The fundamental issue at stake is transparency. Homeowners should have clear information about where their device data is sent, which companies have access to it, and whether these connections are vital for the device’s core functionality.
This level of clarity is especially critical for devices equipped with cameras, location tracking, and access to home networks. Owners of Yarbo robots are advised to treat them with the same security caution as any other connected device with similar capabilities.
Yarbo is reportedly pushing security updates automatically to connected devices. It is recommended that owners connect their robots long enough to receive the latest security patch. After the update, consider moving the robot to a guest network or a dedicated smart-device network.
While complete control over internal robot operations may not be feasible, practical steps can be taken to limit the device’s reach within the home network.
It is advisable not to keep the robot mower on the same network as sensitive devices like laptops, phones, or security cameras. Utilizing a guest network or a separate smart-device network, if supported by the router, is a recommended practice.
If the robot has already connected to the main Wi-Fi and concerns about exposure exist, changing the Wi-Fi password to a strong, unique one is essential. Storing this password in a secure manager can prevent reuse and aid in remembering it.
Regularly reviewing connected devices through the router’s app or admin page is also important. Any unfamiliar devices should be investigated and removed if they are not recognized.
Many routers offer a feature to isolate guest devices, which can prevent the robot from interacting with other devices on the network. Enabling this feature can enhance security.
Owners should inquire about the extent of remaining remote diagnostic access, whether credentials are now unique per robot, and if the company offers a definitive off-switch for remote diagnostics.
Yarbo’s assertion that security updates are delivered automatically upon internet connection suggests that connecting the robot through a guest or isolated network ensures it receives updates without granting access to the main network devices.
The Yarbo report serves as a critical reminder that convenience offered by smart devices can come with hidden access risks. A robot mower, despite its utility, can function as a connected computer with cameras, location data, and a potential gateway into a home network.
The primary concern for users is control. Homeowners need to understand who can access their devices, when remote access is active, and whether they have the ability to disable it. Trusting a “black box” device on the Wi-Fi without clear answers is not advisable.
For owners of these robots, isolating them from the main network and demanding clear answers from the manufacturer is crucial. For those considering purchasing smart yard devices, prioritizing security discussions before features like battery life is recommended.
The question remains: would you allow a smart yard robot onto your Wi-Fi if the company could not clearly explain who can access it and when? Consumers are encouraged to voice their concerns and seek transparency from manufacturers.
