Yarbo patches mower flaws after researcher hijacks devices
Yarbo patched security flaws after Andreas Makris remotely hijacked thousands of yard robots by exploiting hardcoded root passwords, open diagnostic tunnels and weak MQTT access.
Security researcher Andreas Makris found he could remotely take control of thousands of Yarbo yard robots worldwide. Makris demonstrated the risk by operating a mower and allowing it to run over him, a test he used to show the severity of the vulnerabilities.
Makris’s audit identified three primary engineering failures. Every robot used the same hardcoded root password. Remote diagnostic tunnels were left open on devices. The Message Queuing Telemetry Transport (MQTT) system lacked sufficient authentication. Together, these issues let an attacker who controlled a single device reach the wider fleet.
An attacker with access could obtain owners’ GPS coordinates and email addresses, harvest Wi‑Fi passwords, view live camera feeds and, in some cases, re‑arm cutting blades after an emergency stop had been used. Makris reported the devices relied on a persistent backdoor tunnel that users could not see or control.
Yarbo acknowledged the findings and published a remediation plan. As immediate measures, the company temporarily disabled remote diagnostic tunnels, reset root passwords, closed unauthenticated endpoints and removed unnecessary legacy access paths. Yarbo credited the researcher and issued an apology to customers in its public disclosure.
For longer term changes, Yarbo outlined a set of architectural updates. The company plans to roll out unique per‑device credentials, support over‑the‑air credential rotation, implement audited allowlist‑based remote diagnostics and establish a dedicated security contact. Yarbo also indicated it may introduce a bug bounty program. The company chose to retain a managed remote access tunnel but said it would place that channel under stricter controls and logging rather than offer a full opt‑out.
The vulnerabilities mirror the sorts of failures cited in federal guidance on IoT device security, including the National Institute of Standards and Technology recommendations and provisions in the IoT Cybersecurity Improvement Act. Those sources emphasize avoiding default credentials, closing undocumented access channels and using authenticated device-to-cloud connections.
Makris advised owners to apply vendor updates, change default passwords and, where possible, isolate IoT devices on a separate guest Wi‑Fi network or VLAN. The researcher also recommended disabling unnecessary services such as UPnP and cloud remote control when users do not need them.
Yarbo’s disclosure included a timeline of fixes and said the company will continue reviewing its device architecture. The vendor’s decision to keep a controlled remote access channel may prompt further scrutiny from users and security professionals as the company rolls out its planned changes.
