A recent security incident where a researcher remotely hijacked a Yarbo robot mower and ran over a journalist uncovered serious vulnerabilities in the company's devices. In response, Yarbo has issued a comprehensive plan to address the security flaws, temporarily disabling remote access and promising firmware updates. Below, we answer key questions about the breach, the company's response, and what users should know.
What security vulnerabilities were discovered in Yarbo's robot mowers?
Security researcher Dennis Giese discovered that Yarbo's robot mowers had multiple critical flaws. The devices lacked proper authentication for remote commands, allowing anyone with network access to send malicious instructions. The mowers used hardcoded credentials and insecure protocols, making it trivial to intercept communications. Additionally, the cloud infrastructure had weak access controls, meaning an attacker could enumerate all devices and their owners' data. These issues meant that a casual hacker could take full control of any Yarbo mower, including starting its blades and driving it remotely. The company confirmed the findings and acknowledged that the vulnerabilities were self-created due to poor design choices.
How did the security researcher demonstrate the vulnerability?
Giese demonstrated the exploit by taking control of a Yarbo mower from a remote location. He drove the mower toward the journalist, ultimately running over his foot. The hack required no physical access to the device—only a network connection to the internet. Giese used a custom script to bypass the authentication system, sending commands directly to the mower via the cloud server. The demonstration highlighted how easily an attacker could cause physical harm. Yarbo later confirmed that the researcher's findings were accurate and that similar exploits could be used against any of their connected mowers. The company praised the researcher for responsible disclosure and used the incident to accelerate their security overhaul.
What data was exposed by the vulnerabilities?
The vulnerabilities exposed a wide range of sensitive user data. Geolocation coordinates of every mower were publicly accessible, allowing anyone to pinpoint the exact location of a device—and often its owner's home. Wi-Fi network credentials, including SSIDs and passwords, were transmitted in plaintext and stored insecurely. Email addresses associated with each device were also leaked, enabling phishing attacks. Furthermore, the cloud API returned extensive device information such as firmware versions and serial numbers, which could be used to target specific models. Yarbo confirmed that this data was inadvertently accessible to any attacker who knew how to query their servers. The company has since revoked API access pending a complete redesign.
How did Yarbo respond to the security findings?
Yarbo issued a detailed 1,200-word response confirming all of the researcher's findings. The company apologized for the security lapses and published a multi-stage remediation plan. They immediately disabled remote access to all mowers via the cloud, preventing any further remote commands while they work on fixes. Yarbo also thanked the researcher for responsible disclosure and promised to establish a bug bounty program. The response was seen as transparent and proactive, though some critics noted that such vulnerabilities should never have existed in a consumer product. Yarbo emphasized that user safety is their top priority and that they are reworking their entire platform from the ground up.
What immediate actions did Yarbo take to protect users?
Yarbo's first action was to shut down the remote-access API that allowed the exploit. This effectively made all mowers offline-only, disabling features like remote start and scheduling. They also forced a firmware update on all connected devices to patch the most critical vulnerabilities, including hardcoded credentials. Additionally, they reset all user passwords and invalidated existing authentication tokens. Customers were advised to update their mobile apps and change their Wi-Fi network passwords as a precaution. Yarbo set up a dedicated security hotline and email for users to report issues. These steps were intended to stop active attacks while the company works on a long-term security architecture.
What is Yarbo's long-term plan to fix the issues?
Yarbo outlined a three-phase remediation plan. Phase 1, already completed, involved closing the remote access hole and issuing emergency patches. Phase 2 focuses on redesigning the cloud infrastructure: implementing OAuth2 for authentication, encrypting all data in transit and at rest, and adding robust access controls. Phase 3 will introduce over-the-air firmware updates with cryptographic signing, a public vulnerability disclosure program, and regular third-party security audits. The company also plans to hire a dedicated security team and adopt industry-standard practices like secure coding reviews. Yarbo has not provided a timeline for completion but stated that safety will not be compromised for speed. They pledged to keep users updated through their website and app.
What does this mean for users of Yarbo robot mowers?
Current users can continue using their mowers in offline mode, which limits functionality but ensures safety. Yarbo advised against re-enabling remote access until the new system is live. Users should change their Wi-Fi passwords and avoid using the same credentials across services. The incident serves as a reminder that connected devices can pose serious security risks. Yarbo has promised that all future devices will undergo rigorous security testing before release. For those concerned about privacy, the company will offer an option to disable all cloud connectivity permanently. Despite the scare, many users appreciated Yarbo's honest response and commitment to fixing the problems rather than hiding them. The company has promised refunds for anyone who wants to return their mower.
How can users protect themselves in the meantime?
Until Yarbo completes its security overhaul, users should take several precautions. First, keep the mower offline by disconnecting it from the internet via the app or by physically disabling the Wi-Fi module. Change your home Wi-Fi network password immediately, especially if you reused it on other devices. Monitor your Yarbo account for any suspicious activity and ensure you have a strong, unique password. Do not enable remote access features until Yarbo explicitly announces they are secure. Consider segmenting your IoT devices on a separate network. Yarbo also recommends reading their security advisory on their website for the latest guidance. While these steps may be inconvenient, they significantly reduce the risk of a malicious takeover until a permanent fix arrives.