Blade-Wielding Breach: How Hackers Can Remotely Hijack Yarbo Robot Mowers to Target Owners
Do Son 
A robotic lawnmower weighing nearly a hundred kilograms sounds like a quintessential convenience for effortless yard maintenance—until a remote adversary from across the globe compels the blade-wielding machine to mount a human being. This precise experiment was orchestrated by The Verge journalist Sean Hollister, validating the findings of ethical hacker Andreas Makris regarding the vulnerabilities inherent in the Yarbo system.
Hollister reclined upon the earth in the path of the autonomous mower while Makris, operating from Germany, seized remote command. The machine lunged forward, ascending the journalist’s torso; it undoubtedly would have swept its blades across his body had the researcher not terminated the command just in time. While Hollister escaped unscathed, the demonstration illuminated a profound systemic failure: internet-connected machinery equipped with physically hazardous mechanisms demands a caliber of security far exceeding that of a conventional smart appliance.
Makris contends that he could exert dominion over all Yarbo robots because the units remained “entirely defenseless.” According to the researcher, even the engagement of the physical emergency stop button offered no definitive safeguard, as a remote operator could simply transmit a fresh command to re-animate the robot. The most disconcerting revelation pertained to the root password: every Yarbo device shared an identical, static credential.
Under such a scenario, an aggressor could gain access not merely to a solitary mower, but to an entire fleet. Makris mapped over 11,000 Yarbo units worldwide, effectively exposing a global network of connected machines traversing private estates with active blades. The potential ramifications transcend trivial mischief; seizing control paves the way for physical injury, surveillance, theft of hardware, and the exfiltration of sensitive data.
The physical peril was but one facet of the breach. Makris demonstrated that these vulnerabilities could be exploited to harvest owners’ email addresses, Wi-Fi passwords, and precise GPS coordinates. Furthermore, simply altering the root password proved futile: following a firmware update, Yarbo restored the credential to its factory default. The researcher noted that this remote access was an intentional architectural feature, automatically deployed on every unit, incapable of being disabled by the owner, and persistent even after deletion.
Makris disseminated his findings only after repeated warnings to Yarbo were met with indifference. The company initially insisted that the robots remained “fully protected” and under the “exclusive jurisdiction” of their owners. However, following the publication of the report, Yarbo’s stance began to shift; a spokesperson subsequently stated that developers had identified a remedy for at least one vulnerability and were preparing further security augmentations.
The Yarbo incident serves as an almost farcical illustration of a risk long debated by security experts: as “smart” devices are increasingly endowed with motors, cameras, GPS, and persistent connectivity, manufacturers forfeit the luxury of lackluster protection. A flaw in a lightbulb application is a mere annoyance; a flaw in a robotic mower is a physical hazard that can deliver itself directly to the owner’s doorstep.
Donate