A US-based robotics firm with ties to China has rushed out security fixes after an ethical hacker revealed that thousands of its internet connected robotic lawn mowers could be hijacked remotely using the same built-in administrator password.

Sold in more than 30 countries,Yarbo’s lawn mower is a large, autonomous, internet connected robotic yard machine that works using cameras, GPS and AI-assisted mapping to cut grass without human operation.

On Thursday, security researcher Andreas Makris revealed that he had found a flaw that affected Yarbo robots that allowed access to the owner’s email addresses, WiFi passwords and precise GPS locations.

He even created a vibecoded live map plotting more than 11,000 devices worldwide.

In a demonstration for The Verge, Markris remotely took over a mower already operating outside a family home in upstate New York.

“The robot’s camera turns to reflect each of those moves,” the report noted, warning: “There’s little to keep him from driving anywhere he likes, spying on this family.”

Markris also identified multiple Yarbo units operating close to critical infrastructure sites, including near a major power plant.

Army of Linux-operated bladerunners

The researcher warned the issue could not simply be fixed by changing passwords, and firmware updates allegedly restored devices to the same default credentials.

Because the robots effectively function as internet-connected Linux computers, the implication is that hackers could, in theory, spin up blades, probe home computers and turn these devices into a botnet.

To challenge Yarbo’s earlier assurance that devices remained secure, Verge reporter Sean Hollister even lay in the path of a 200 pound mower while Makris remotely controlled it from Germany 6,000 miles away.

Made in China

Yarbo itself is actually another name for Hanyang Tech, which is based in Shenzhen, China, although it presents publicly as a New York-based robotics company with US headquarters in Ronkonkoma, New York.

According to a report on X, the experiment prompted Markris to publish his research, including official CVE vulnerability disclosures, without giving Yarbo time to fix the problem first.

In response to the report, Yarbo co-founder Kenneth Kohlmann issued a lengthy security statement – which was only possible to access outside the US via a VPN – that admitted the technical findings were accurate and apologized for the company’s security failures.

He said that Yargo had:

• Temporarily disabled the relevant remote diagnostic tunnels
• Reset root passwords
• Restricted unauthenticated access points
• Has begun replacing its shared password system with “device-level independent credential mechanisms”
• Pledged to introduce an “allowlist-based, user-authorized, and auditable remote diagnostic model
• Launched a new response channel for vulnerability reports and responsible disclosure, as well as exploring the establishment of a formal bug bounty program

However, the response has not convinced Markris and Hollister, who argued that the company stopped short of removing manufacturer remote access entirely, instead promising tighter controls and audit logging.

“It controversially retains an internal backdoor,” Hollister writes in a follow-up article, published Friday.

That has fueled wider concerns about smart devices with persistent backdoor-style access. As Hollister writes, it’s “just one particularly egregious example in an ocean of insecure devices."

---

Unlock more exclusive Cybernews content on YouTube.