YARBO yard robots were found to have a host of vulnerabilities that could allow an attacker to harvest Wi‑Fi passwords, with security researcher Andreas Makris demonstrating remote hijacking of thousands of devices and even having his mower run him over, according to The Verge. The root cause centred on a cluster of legacy design choices, including a shared hardcoded root password, open remote tunnels and MQTT protection so weak that owning one device effectively gave access to the worldwide fleet.
An attacker could pull GPS coordinates, email addresses and Wi‑Fi passwords, turn cameras into remote spying tools, and even re‑arm the mower after an emergency stop, all enabled by a persistent backdoor tunnel users could neither see nor meaningfully control. Yarbo’s public response is unusually detailed for an IoT vendor, temporarily disabling the remote diagnostic tunnels, resetting root passwords, locking down unauthenticated endpoints, and removing unnecessary legacy access paths.
Looking ahead, Yarbo promises long‑term security hygiene with unique per‑device credentials, OTA credential rotation, audited allowlist remote diagnostics, and a dedicated security contact with a possible bug bounty. However, it has chosen to retain a remote access tunnel, albeit with tighter controls, rather than offering users an option to remove or fully opt out of it.