Yarbo shifts policy to make robot lawn mower remote access an opt-in feature
The manufacturer is moving the remote diagnostic capability from a default setting to an opt-in option, allowing customers to decide whether to install a temporary one-time tunnel for troubleshooting.
Yarbo has announced a significant policy shift regarding the security architecture of its robot lawn mowers, pledging to remove the intentional remote backdoor that previously allowed authorised internal personnel to access devices remotely. This decision marks a departure from the company's initial stance, which maintained that a persistent backdoor was necessary to facilitate quick troubleshooting when physical inspection was not practical.
Co-founder Kenneth Kohlmann confirmed to The Verge that the feature will no longer be enabled by default. Instead, customers will now have the agency to decide whether the remote access functionality is installed at all. The new approach requires an explicit opt-in from the user, who would then trigger a setup script to install a temporary one-time tunnel for remote assistance.
The move comes in direct response to security concerns raised by researcher Andreas Makris. Makris previously demonstrated how the existing vulnerabilities allowed him to hijack the bladed robots remotely, exposing sensitive data such as email addresses and GPS locations. Following these revelations, Yarbo acknowledged the severity of the issue and committed to addressing the security holes that enabled such remote reprogramming.
To support this transition, the company is rolling out firmware updates that include unique root passwords for each device, which Yarbo will not provide to end users. These updates have already been deployed to the first 1,000 machines, with further waves scheduled for additional units. Kohlmann noted that the required files for the new version may still technically reside on the robot's internal storage, but they will remain inactive unless the user actively triggers the connection.
Yarbo has stated it is now in contact with Andreas Makris to validate the security changes, though the timeline for full verification remains unspecified. While the company warns that it may be difficult for customers to independently verify the removal of the backdoor, the shift to an opt-in model represents a substantive change in how the manufacturer balances remote support capabilities with user privacy and device security.
