- Thousands of Yarbo lawnmowers exposed identical passwords in homes around the world
- Investigators Remotely Seized a 200-Pound Lawn Mower Outside a Family Residence
- GPS locations and WiFi passwords leaked from vulnerable lawnmower robots
Security researcher Andreas Makris has discovered a serious flaw in Yarbo robotic lawnmowers that allowed remote access using identical default administrator credentials on thousands of units.
These autonomous machines, equipped with cameras, GPS and artificial intelligence maps, operate around the world in more than 30 countries without constant human supervision.
Makris demonstrated the vulnerability by accessing owners’ email addresses, Wi-Fi passwords, exact GPS locations and plotted a live map showing more than 11,000 devices around the world.
Linux devices waiting to be turned into weapons
Yarbo mowers run on Internet-connected Linux systems and operate much like exposed computers.
In theory, hackers could activate the blades remotely, scan nearby networks, or assemble the devices into a botnet for larger attacks.
Makris noted that units operating near critical sites, such as a major power plant, amplify potential risks to infrastructure.
The danger of this vulnerability was demonstrated during a live test for The Verge, taking control of a 200-pound lawnmower operating outside a family home in upstate New York.
“The robot’s camera rotates to mirror each of those movements,” the report notes, warning: “There is little stopping it from driving wherever it wants, spying on this family.”
Reporter Sean Hollister was on the mower’s path from Germany, roughly 6,000 miles away, to test Yarbo’s earlier safety claims.
The experiment exposed the ease with which a stranger could control the device, overriding local controls without being detected.
Unfortunately, regular firmware updates failed to solve the main problem, as they reportedly reset the devices to the same weak default passwords.
Simple password changes alone cannot address the deeper architectural problems of these networked robots.
Made in China, based in New York.
Yarbo operates publicly out of Ronkonkoma, New York, but can be traced back to Hanyang Tech in Shenzhen, China, a dual identity that has drawn scrutiny amid the security flaw affecting devices sold internationally.
The revelation led Makris to release its findings, including official CVE disclosures, before Yarbo fully fixed the issues.
Critics question whether geographic ties influence the persistence of manufacturers’ access features in consumer hardware.
Yarbo co-founder Kenneth Kohlmann acknowledged the flaws in a statement that is primarily accessible via VPN outside the US.
The company disabled remote diagnostic tunnels, reset root passwords, and restricted unauthenticated entry points.
They also moved from shared passwords to device-specific credentials and promised a whitelist-based diagnostic model with audits.
However, neither Makris nor Hollister found these measures convincing. The company stopped short of completely eliminating remote manufacturer access and instead promised tighter controls and audit logs.
“It controversially maintains an internal backdoor,” Hollister said in an assessment of the measures taken so far.
That decision has fueled broader concerns about smart devices with backdoor-style persistent access whose manufacturer has refused to close hidden access points.
Via Cybernews
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.
