- Thousands of Yarbo lawnmowers revealed identical passwords across homes worldwide
- Investigators remotely hijacked a 200-pound lawnmower outside a family home
- GPS locations and WiFi passwords leaked from vulnerable robotic lawnmowers
Security researcher Andreas Makris has uncovered a serious flaw in Yarbo robotic lawnmowers that allowed remote access using identical default administrator credentials across thousands of devices.
These autonomous machines, equipped with cameras, GPS and AI mapping, operate worldwide in over 30 countries without constant human supervision.
Makris demonstrated the vulnerability by accessing owner email addresses, Wi-Fi passwords, exact GPS locations, and plotted a live map showing more than 11,000 devices globally.
Linux devices are waiting to be armed
Yarbo lawnmowers run on Linux systems connected to the Internet and act much like exposed computers.
Hackers could theoretically remotely activate blades, scan nearby networks, or assemble the devices into a botnet for larger attacks.
Makris noted that devices operating near critical locations, such as a major power plant, amplify potential risks to the infrastructure.
The danger of this vulnerability was demonstrated during a live test for The Verge, which took control of a 200-pound lawnmower operating outside a family home in upstate New York.
“The robot’s camera turns to reflect each of these movements,” the report noted, warning, “There is little to stop him from driving anywhere he likes and spying on this family.”
Reporter Sean Hollister was on the mower’s path from Germany, some 6,000 miles away, to test Yarbo’s earlier safety claims.
The experiment revealed how easily an outsider could commandeer the device and override local controls without detection.
Unfortunately, regular firmware updates failed to fix the core issue as they allegedly reset devices to the same weak default passwords.
Simple password changes alone cannot solve the deeper architectural problems in these networked robots.
Made in China, headquartered in New York
Yarbo operates publicly out of Ronkonkoma, New York, but traces back to Hanyang Tech in Shenzhen, China, a dual identity that has sparked investigations amid the security breach affecting devices sold internationally.
The disclosure prompted Makris to release his findings, including official CVE disclosures, before Yarbo fully fixed the issues.
Critics question whether geographic ties affect persistent manufacturer access features in consumer hardware.
Yarbo co-founder Kenneth Kohlmann acknowledged the errors in a statement that is mainly available via VPN outside the US.
The company disabled remote diagnostic tunnels, reset root passwords, and limited unauthorized access points.
They also switched from shared passwords to device-specific credentials and promised a whitelist-based diagnostic model with revisions.
But neither Makris nor Hollister found these measures convincing. The company stopped short of removing manufacturer remote access entirely, promising tighter controls and audit logging instead.
“It controversially maintains an internal backdoor,” Hollister said in an assessment of the measures taken so far.
This decision has raised wider concerns about smart devices with persistent backdoor access, whose manufacturer has refused to close hidden access points.
Via Cybernews
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
