Attack of the AI lawnmowers? Yarbo forced to patch products after experts reveal method to remotely hijack thousands of devices

Date:
Fri, 15 May 2026 22:20:00 +0000

Description:
A cybersecurity flaw in Yarbo robotic mowers exposed thousands of internet-connected devices to spying, hijacking, infrastructure, and surveillance risks.

FULL STORY ======================================================================Copy link Facebook X Whatsapp Reddit Pinterest Flipboard Threads Email Share this article 0 Join the conversation Follow us Add us as a preferred source on Google Newsletter Subscribe to our newsletter Thousands of Yarbo lawnmowers exposed identical passwords across homes worldwide Researchers remotely hijacked a 200-pound mower outside a family residence GPS locations and WiFi passwords leaked from vulnerable robotic lawnmowers Security researcher Andreas Makris has uncovered a serious flaw in the Yarbo robotic lawnmowers that allowed remote access using identical default administrator credentials across thousands of units.

These autonomous machines, equipped with cameras, GPS, and AI mapping,
operate worldwide in over 30 countries without constant human oversight. Makris demonstrated the vulnerability by accessing owner email addresses, Wi-Fi passwords, exact GPS locations, and plotted a live map showing more
than 11,000 devices globally. Latest Videos From You may like Tinkerer accidentally gets access to thousands of DJI Romo robot vacuums A simple hack gives a DJI Romo owner access to a global army of robovacs The FBI just remotely reset thousands of home and small office routers Linux Devices waiting to be weaponised Yarbo mowers run on Linux systems connected to the internet, functioning much like exposed computers.

Hackers could theoretically activate blades remotely, scan nearby networks,
or assemble the devices into a botnet for larger attacks.

Makris noted that units operating near critical sites, such as a major power plant, amplifies potential risks to infrastructure.

The danger of this vulnerability was showcased during a live test for The Verge, seizing control of a 200-pound mower operating outside a family home
in upstate New York. Are you a pro? Subscribe to our newsletter Sign up to
the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed! Contact me with news and offers from other Future brands Receive email from us on behalf of our trusted partners
or sponsors By submitting your information you agree to the Terms &
Conditions and Privacy Policy and are aged 16 or over.

The robots camera turns to reflect each of those moves, the report noted, warning: Theres little to keep him from driving anywhere he likes, spying on this family.

Reporter Sean Hollister lay in the mower's path from Germany, roughly 6,000 miles away, to test Yarbo's prior security claims.

The experiment exposed how easily an outsider could command the device, overriding local controls without detection. What to read next Weak
safeguards leave thousands of AI agents open to attack Honeywell CCTV cameras vulnerable to hijacking which allows hackers to crack passwords easily
Russian hacker uses multiple AI tools to break hundreds of firewalls

Unfortunately, regular firmware updates failed to resolve the core issue, as they reportedly reset devices to the same weak default passwords.

Simple password changes alone cannot address the deeper architectural
problems in these networked robots. Made in China, headquartered in New York Yarbo operates publicly from Ronkonkoma, New York, but traces back to Hanyang Tech in Shenzhen, China, a dual identity which has sparked scrutiny amid the security lapse affecting devices sold internationally.

The revelation prompted Makris to release his findings, including official
CVE disclosures, before Yarbo fully patched the issues.

Critics question whether geographic ties influence the persistence of manufacturer access features in consumer hardware.

Yarbo co-founder Kenneth Kohlmann acknowledged the flaws in a statement accessible mainly via VPN outside the US.

The company disabled remote diagnostic tunnels, reset root passwords, and restricted unauthenticated entry points.

They also shifted from shared passwords to device-specific credentials and promised an allowlist-based diagnostic model with audits.

However, neither Makris nor Hollister found these measures convincing. The company stopped short of removing manufacturer remote access entirely,
instead promising tighter controls and audit logging.

It controversially retains an internal backdoor, Hollister said in an assessment of the measures taken so far.

That decision has fuelled wider concerns about smart devices with persistent backdoorstyle access whose manufacturer has refused to close hidden access points.

Via Cybernews Follow TechRadar on Google News and add us as a preferred
source to get our expert news, reviews, and opinion in your feeds.



======================================================================
Link to news story: https://www.techradar.com/pro/security/attack-of-the-ai-lawnmowers-yarbo-force d-to-patch-products-after-experts-reveal-method-to-remotely-hijack-thousands-o f-devices


--- Mystic BBS v1.12 A49 (Linux/64)
* Origin: tqwNet Technology News (1337:1/100)