A recent security report reveals that Yarbo robot mowers may expose home networks to serious vulnerabilities, including remote access and Wi-Fi password theft, affecting approximately 6,000 devices.
A robot mower is often seen as a convenient tool that simplifies yard maintenance. It cuts grass, saves time, and quietly performs a task many homeowners prefer to avoid. However, a new independent security report raises significant concerns about potential vulnerabilities associated with these devices. Security researcher Andreas Makris has identified serious flaws in Yarbo robots, which include autonomous lawn mowers and snow blowers, that could allow for remote access, live camera feeds, and Wi-Fi credential theft from home networks.
According to the report, around 6,000 Yarbo robots are affected by these vulnerabilities. In response, Yarbo has acknowledged the core technical findings and stated that it is in the process of rolling out security fixes. This situation prompts critical questions about the level of access smart yard devices should have within a homeowner’s network.
Makris explains that Yarbo robots are shipped with a persistent remote access configuration that utilizes a tunnel to connect to the device over the internet. The report indicates that these robots also come with a hardcoded root password that is shared across the entire fleet, along with a remote connection method linked to the robot’s serial number. This “root” access grants deep control over the device, essentially providing administrator-level access to the system. Alarmingly, the remote tunnel operates automatically, can restart itself if interrupted, and may re-establish itself if removed, leaving owners without a straightforward way to disable it.
While smart devices typically require internet connectivity for app controls, software updates, diagnostics, and support, Makris argues that Yarbo’s design creates a riskier scenario. He claims that remote access appears to be built into every robot, rather than being activated only when an owner seeks assistance. An attacker with the right information could potentially access a robot remotely, manipulate its internal functions, and use it as a foothold within the owner’s network.
Furthermore, the report highlights that Yarbo robots are equipped with multiple camera feeds. If an attacker were to gain root access through the remote tunnel, they could potentially view the robot’s surroundings, including driveways, backyards, entryways, and garages—areas where families often spend time. For homeowners, this concern extends beyond a mere glitch; a camera-equipped device located outside the home warrants the same level of scrutiny as an indoor camera.
Additionally, the report indicates that an attacker with root access could extract saved Wi-Fi credentials from the robot’s system. This poses a serious threat, as many households operate on a single main Wi-Fi network that connects various devices, including phones, laptops, tablets, smart TVs, and security systems. Once an attacker obtains the Wi-Fi password, they could potentially access other connected devices or exploit vulnerabilities that were not intended to be exposed to the internet. This underscores the importance of scrutinizing connected outdoor equipment.
In response to the findings, Yarbo issued a statement on its Security Center page, acknowledging the serious vulnerabilities identified in its remote diagnostic, credential management, and data-handling systems. Co-founder Kenneth Kohlmann confirmed that the “core technical findings are accurate” and recognized that the company’s initial response did not adequately reflect the severity of the issues.
Yarbo attributed the problems primarily to historical design choices in its remote diagnostic and access management systems. The company also noted that some legacy support tools lacked adequate visibility and control for users, and that certain authentication and credential systems fell short of current security standards.
Since the report’s publication, Yarbo has implemented several remediation measures. The company has retired historical fleet-level root credentials, revoked shared remote-access credentials, and disabled related server-side connection paths. Updated versions of the Yarbo mobile app no longer contain static credentials or embedded access mechanisms capable of authenticating against backend services. Yarbo has also removed unnecessary reporting scripts, legacy dependencies, and non-essential network configurations.
Despite these efforts, Yarbo acknowledges that further work remains. The company is in the process of rebuilding its credential management system to replace any remaining shared-credential models with individually scoped, per-device credentials. Each credential will support independent rotation and revocation.
The report also raises concerns about connections involving Hanyang Tech, Yarbo’s Shenzhen-based parent company, as well as ByteDance Feishu, Tencent TDMQ, and Chinese DNS resolvers. Makris notes that some telemetry data from the robots may be sent to ByteDance’s Feishu platform, and that certain infrastructure choices are embedded within the firmware.
Transparency is a critical issue. Owners should be informed about where their devices send data, which companies can access it, and whether those connections are essential for normal operation. This level of clarity is especially vital for devices equipped with cameras, location data, and access to home networks.
If you own a Yarbo robot, this report serves as a reminder to treat it like any other connected device that has access to your home Wi-Fi. Yarbo has stated that it is pushing security updates automatically to connected devices, so owners should ensure their robots are connected long enough to receive the latest updates. Afterward, consider moving the device to a guest network or an isolated smart-device network.
To enhance security, homeowners are advised to avoid keeping their robot mower on the same network as their laptops, phones, or security cameras. Utilizing a guest network or a separate smart-device network, if supported by the router, can help mitigate risks. If the robot has connected to the main Wi-Fi network and there are concerns about exposure, changing the Wi-Fi password to a strong, unique one is recommended. Additionally, reviewing connected devices through the router app or admin page can help identify and remove any unfamiliar devices.
Yarbo emphasizes that security updates are delivered automatically once devices connect to the internet. Owners should connect their robots through a guest network or isolated smart-device network to receive updates without compromising their main devices.
The findings regarding Yarbo robots highlight the need for vigilance when it comes to smart home devices. While a robot mower may appear to be a helpful tool, it can function like a connected computer with cameras, location data, and access to your network. The primary concern is control—owners must understand who can access their devices, when remote access is activated, and whether they can disable it. Trusting a device that operates as a “black box” on your Wi-Fi network is not advisable. If you own one of these robots, consider isolating it from your main network and seek clear answers from Yarbo regarding security measures.
For those considering the purchase of smart yard devices, it is crucial to inquire about security features before focusing on battery life.
For more information, visit Yarbo’s Security Center at yarbo.com/pages/yarbo-security-center for ongoing updates and verified information.
According to CyberGuy, the Yarbo report serves as a crucial reminder that convenience can come with hidden risks.