Critical security flaws expose thousands of Australian homes to remote hijacking via Yarbo robot lawn mowers
Investigations reveal hardcoded root passwords and intentional backdoors in devices operated by Shenzhen-based Hanyang Tech, prompting urgent calls for stricter safety protocols in the smart home sector.
Security researcher Andreas Makris has demonstrated that Yarbo robot lawn mowers can be remotely hijacked from thousands of miles away, bypassing physical safety features and emergency stops. In a controlled test, Makris drove a 200-pound robot over a person lying in its path, proving that attackers can access live video feeds, spy on homes, and steal Wi-Fi passwords. The demonstration highlighted that the devices, which include cameras and GPS, allow hackers to override local controls and access owner email addresses.
The investigation into the vulnerabilities revealed that the company uses a hardcoded root password that resets to the default value after every firmware update. Furthermore, the devices include an intentional, non-disableable remote-access backdoor deployed on every unit. These security gaps mean that even if a homeowner presses the emergency stop button on the mower itself, a hacker can send a remote command to unlock it. Because the Yarbo functions as a full Linux computer, attackers could remotely reprogram the device to spin up blades or probe the home network.
Makris tracked over 11,000 Yarbo devices worldwide, with approximately 5,400 located in the United States and Europe. While Yarbo, a Shenzhen-based company operating under the name Hanyang Tech, claims US headquarters, its actual corporate identity is linked to Hanyang Tech in China. The firm has promised to implement customer approval mechanisms and audit logging but denies that any unauthorised access has occurred to date, stating their diagnostic environment is restricted to internal staff.
The severity of the flaw has drawn comparisons from security experts to a chainsaw without a handguard or brake. Matt Petach, a retired network architect, noted that homeowners are invited to treat technology as a confident helper despite the risks. He emphasised that the lack of safety features and the persistence of the backdoor create a scenario where gadgets should be treated as hostile agents rather than trusted assistants.
Yarbo was founded in 2015 as a robot snowblower company and sells modular yard robots that can function as mowers, leaf blowers, snowblowers, trimmers, and edgers. Previous security research by Sammy Azdoufal revealed similar remote-control vulnerabilities in DJI Romo robot vacuum cleaners, suggesting a broader issue within the industry. The Verge previously attempted to review Yarbo products but faced unusual requests for non-disparagement clauses and conditions on negative reviews.
Despite the findings, Yarbo maintains that the diagnostic environment is not publicly accessible and requires internal role-based authorisation. However, researchers argue that the hardcoded password flaw and the intentional backdoor represent a fundamental design failure. Makris decided to publish his research, including official CVE vulnerability disclosures, without giving the firm time to fix the problem first, aiming to warn the public about the risks.
