{"id":56067,"date":"2026-07-02T11:44:17","date_gmt":"2026-07-02T15:44:17","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=56067"},"modified":"2026-07-02T11:44:17","modified_gmt":"2026-07-02T15:44:17","slug":"yarbo-robot-lawn-mower-hacked-2","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/yarbo-robot-lawn-mower-hacked-2\/56067\/","title":{"rendered":"Yarbo&#8217;s robot mower: a backdoor in your backyard"},"content":{"rendered":"<p>If machines ever rise against humans, which smart appliance do you think you should fear most? Your blender, your smart kettle, or maybe your robot vacuum cleaner? My money is on\u2026 robot lawn mowers\u00a0\u2014 and I bet that after reading this post, you\u2019ll be eyeing them suspiciously too. This story covers the <a href=\"https:\/\/github.com\/Bin4ry\/yarbo-nat-in-my-back-yard\" target=\"_blank\" rel=\"noopener nofollow\">recent findings of independent security researcher<\/a> Andreas Makris, who was tracking six thousand Yarbo mowers when his study was published. Even worse, if he wanted to, he could take total control of any unit: boot it up, steer it remotely, snap photos with the built-in camera, and plenty more. Read on to find out exactly how he pulled it off.<\/p>\n<h2>What exactly are Yarbo robot mowers?<\/h2>\n<p>Calling a Yarbo device a mere lawn mower doesn\u2019t really do it justice. In reality, these high-tech machines are autonomous mini-tractors built to tackle a wide range of chores. Beyond just cutting grass, they can clear snow, blow away fallen leaves, haul heavy loads, patrol your property, and more. And to handle all these different outdoor tasks, the manufacturer offers a whole suite of interchangeable attachments.<\/p>\n<div id=\"attachment_56071\" style=\"width: 1290px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2026\/07\/02112835\/yarbo-robot-lawn-mower-hacked-1.jpg\"><img decoding=\"async\" aria-describedby=\"caption-attachment-56071\" class=\"wp-image-56071 size-full\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2026\/07\/02112835\/yarbo-robot-lawn-mower-hacked-1.jpg\" alt=\"Yarbo robot lawn mower\" width=\"1280\" height=\"857\"><\/a><p id=\"caption-attachment-56071\" class=\"wp-caption-text\">Yarbo is a modular yard-care robot. Depending on the attachment used, it can function as a lawn mower, trimmer, snowblower, leaf blower, or utility cart. <a href=\"https:\/\/eu.yarbo.com\/\" target=\"_blank\" rel=\"nofollow noopener\"> Source<\/a><\/p><\/div>\n<p>None of this comes cheap: in Europe, the base robot alone will set you back over \u20ac5000, while individual attachments cost anywhere from \u20ac1500 to \u20ac2500 each. If you want the full setup, including the robot and every available module\u00a0\u2014 the mower, trimmer, snow blower, leaf blower, and towing module\u00a0\u2014 you\u2019re looking at a grand total of over \u20ac12\u00a0000.<\/p>\n<p>As a lawn mower, this robotic tractor <a href=\"https:\/\/eu.yarbo.com\/robotic-lawn-mower?p=t_menu\" target=\"_blank\" rel=\"noopener nofollow\">boasts some seriously impressive specs<\/a>. It features a cutting width of about 50cm, thanks to dual cutting discs outfitted with five blades each. A single charge covers roughly a thousand square meters. Once the battery drops to 20%, the robot drives itself back to the charging station and, once topped up, picks up right where it left off\u00a0\u2014 just like a robot vacuum; except on a completely different scale: in mowing mode, this machine can maintain properties of up to 25\u00a0000 square meters, and in towing mode it can handle up to 125\u00a0000 square meters of land.<\/p>\n<div id=\"attachment_56072\" style=\"width: 1210px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2026\/07\/02113157\/yarbo-robot-lawn-mower-hacked-2.jpg\"><img decoding=\"async\" aria-describedby=\"caption-attachment-56072\" class=\"wp-image-56072 size-full\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2026\/07\/02113157\/yarbo-robot-lawn-mower-hacked-2.jpg\" alt=\"The Yarbo robot in its snow blower configuration\" width=\"1200\" height=\"1201\"><\/a><p id=\"caption-attachment-56072\" class=\"wp-caption-text\">The Yarbo robot configured for snow removal. <a href=\"https:\/\/eu.yarbo.com\/\" target=\"_blank\" rel=\"nofollow noopener\"> Source <\/a><\/p><\/div>\n<p>For lawn care and landscaping, it all sounds like a dream come true. But imagine what could happen if you lost control of such a powerful machine. Well, &lt;em&gt;The Verge&lt;\/em&gt; reporter Sean Hollister doesn\u2019t have to imagine. He teamed up with researcher Andreas Makris for an experiment where the researcher, sitting in Germany, remotely hijacked a Yarbo mower and ran over the journalist as he lay on his lawn back in the U.S. We\u2019ll dive into all the details in the next sections.<\/p>\n<div id=\"attachment_56073\" style=\"width: 2170px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2026\/07\/02113309\/yarbo-robot-lawn-mower-hacked-3.jpg\"><img decoding=\"async\" aria-describedby=\"caption-attachment-56073\" class=\"wp-image-56073 size-full\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2026\/07\/02113309\/yarbo-robot-lawn-mower-hacked-3.jpg\" alt=\"The fully loaded Yarbo robot bundle\" width=\"2160\" height=\"2160\"><\/a><p id=\"caption-attachment-56073\" class=\"wp-caption-text\">Yarbo\u2019s complete package, featuring every attachment offered by the manufacturer: a setup that runs to well over \u20ac12 000 in Europe. <a href=\"https:\/\/eu.yarbo.com\/\" target=\"_blank\" rel=\"nofollow noopener\"> Source<\/a><\/p><\/div>\n<h2>How the researcher hijacked the Yarbo devices<\/h2>\n<p>We\u2019ve <a href=\"https:\/\/www.kaspersky.com\/blog\/ecovacs-robot-vacuums-hacked-in-real-life\/52837\/\" target=\"_blank\" rel=\"noopener nofollow\">mentioned<\/a> before on our blog that all smart devices are essentially computers\u00a0\u2014 often on wheels. Most of the time, they run on Linux, and Yarbo\u2019s robots are no exception. While digging into the device\u2019s firmware, Makris <a href=\"https:\/\/github.com\/Bin4ry\/yarbo-nat-in-my-back-yard\" target=\"_blank\" rel=\"noopener nofollow\">discovered a built-in mechanism<\/a> that maintains a constant connection with the company\u2019s servers.<\/p>\n<p>This kind of setup isn\u2019t unusual in and of itself: most robot vacuums, smart cameras, smart speakers, and other IoT gadgets regularly ping the manufacturer\u2019s infrastructure for things like software updates. But with Yarbo, this mechanism wasn\u2019t just passing along telemetry data and pulling down updates; it did double duty as a monitoring and remote access tool. In theory, a manufacturer might use this kind of access for completely legitimate reasons, like remote troubleshooting or tech support.<\/p>\n<p>To figure out exactly what this access could do, Makris dug into its configuration. As it turned out, the system allowed anyone to connect to the mower with top-tier administrative privileges and execute any command they wanted.<\/p>\n<p>Making matters worse, the connection relied on the \u201croot\u201d account: the primary administrative login in Linux that has total control over the system. Since that username is standard across Linux systems, an attacker wouldn\u2019t even have to guess a login.<\/p>\n<p>And that\u2019s where Makris hit another nasty surprise: the password for that root account was hardcoded right into the firmware, meaning it was exactly the same across every single Yarbo device. The password itself wasn\u2019t the strongest\u00a0\u2014 just nine characters\u00a0\u2014 but in this scenario, that didn\u2019t matter. The researcher didn\u2019t need to crack or brute-force the root password because it was sitting out in the open, hardcoded into one of the system components for anyone to find.<\/p>\n<div id=\"attachment_56074\" style=\"width: 1670px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2026\/07\/02113428\/yarbo-robot-lawn-mower-hacked-4.png\"><img decoding=\"async\" aria-describedby=\"caption-attachment-56074\" class=\"wp-image-56074 size-full\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2026\/07\/02113428\/yarbo-robot-lawn-mower-hacked-4.png\" alt=\"The root password for every Yarbo robot\" width=\"1660\" height=\"480\"><\/a><p id=\"caption-attachment-56074\" class=\"wp-caption-text\">The root password for all Yarbo robots is hardcoded into one of the system components. <a href=\"https:\/\/github.com\/Bin4ry\/yarbo-nat-in-my-back-yard#1-persistent-ssh-backdoor-via-nat-punching\" target=\"_blank\" rel=\"nofollow noopener\"> Source<\/a><\/p><\/div>\n<p>To be absolutely clear, this password didn\u2019t just unlock one specific lawn mower\u00a0\u2014 it opened the door to every single Yarbo robot on the planet. What\u2019s worse, even if a tech-savvy owner managed to change their root password to something unique, the system would automatically reset it back to the default factory password during the next update.<\/p>\n<p>This means that to gain remote access to any of the thousands of Yarbo robots out there, all an attacker needed was the device\u2019s serial number and the universal root password. To make things even easier, the serial numbers follow a predictable format and serve as the robot\u2019s ID within Yarbo\u2019s ecosystem. The owner didn\u2019t have to click a thing or do anything wrong for their mower to be compromised.<\/p>\n<h2>What an attacker can do with a Yarbo mower<\/h2>\n<p>Andreas Makris <a href=\"https:\/\/www.theverge.com\/tech\/925696\/yarbo-robot-lawn-mower-hack-remote-control-camera-access-mqtt\" target=\"_blank\" rel=\"noopener nofollow\">took a close look at exactly what this remote access allowed him to do<\/a>, and he gave &lt;em&gt;The Verge&lt;\/em&gt; reporter Sean Hollister a live demonstration of the capabilities, which included:<\/p>\n<ul>\n<li>Streaming live video from the built-in cameras\u00a0\u2014 there are four in total, one on each side of the robot<\/li>\n<li>Snapping photos with the onboard cameras<\/li>\n<li>Harvesting user email addresses<\/li>\n<li>Stealing passwords for the Wi-Fi networks the robots were connected to<\/li>\n<li>Pinpointing the exact GPS coordinates of the machines<\/li>\n<li>Controlling the robots remotely<\/li>\n<\/ul>\n<p>The reporter reached out to two Yarbo owners to verify Makris\u2019s findings. They confirmed that the researcher had successfully pinpointed their homes, and had managed to pull their actual email addresses and the passwords to the Wi-Fi networks their robots were using.<\/p>\n<p>To really drive home how dangerous it is for a stranger to have remote access to such a powerful machine, Makris and Hollister decided to run the experiment mentioned earlier. Sitting in Germany, the researcher hijacked a Yarbo mower located in the U.S. that Hollister had access to. Then, while staying on the line with the journalist who was lying in the grass, Makris steered the machine straight toward him.<\/p>\n<p>To be fair, the mower was in reverse and the blades weren\u2019t spinning. Even so, the stunt was still plenty dangerous\u00a0\u2014 the machine weighs over 220 pounds. At one point, the robot did actually back into Hollister, but Makris stopped the mower just in time and no one was hurt.<\/p>\n<p>This experiment proved that the device completely lacks any hardwired safety features that would kick in if something got in the robot\u2019s way. To be fair, the mower does have a physical emergency stop button that halts the machine when pressed. However, Makris points out that with root access, a hacker could easily override that command and boot the machine right back up.<\/p>\n<p>But the risks don\u2019t stop at remote hijacking stunts. According to Makris, this level of access allows an attacker to secretly spy on your property through the built-in cameras, install malicious software onto the robot\u2019s operating system, and use the mower as a beachhead to launch further attacks on other devices connected to the same network. In the researcher\u2019s view, the entire remote access architecture is essentially a backdoor: owners have no way to disable it, and access to the machines remains wide open no matter what they do.<\/p>\n<h2>How to avoid becoming a victim of\u2026 your lawn mower<\/h2>\n<p>Typically, cybersecurity researchers only publish their findings after the manufacturer has patched the vulnerabilities. Andreas Makris took a different route, however: he posted the details about the Yarbo backdoor online right away, without waiting for a fix. He justified his decision by pointing out that this wasn\u2019t an accidental flaw left behind by the company; the manufacturer had deliberately and intentionally built a permanent backdoor into its robots.<\/p>\n<p>Furthermore, when Makris tried to reach out to Yarbo support\u00a0\u2014 the company lacked a dedicated channel for reporting vulnerabilities\u00a0\u2014 he received a canned response claiming that everything was secure, and the remote connection feature wasn\u2019t permanently enabled and could not be used by third parties. As the researcher clearly demonstrated, those claims were completely false.<\/p>\n<p>Following the publication of Makris\u2019s findings, <a href=\"https:\/\/www.theverge.com\/tech\/926989\/yarbo-robot-lawn-mower-hack-company-update-security-promise\" target=\"_blank\" rel=\"noopener nofollow\">Yarbo announced that they would fix many of the issues he\u2019d uncovered<\/a>. Specifically, the company promised to ditch the universal passwords across devices, implement stronger access control, and bring more transparency to how their remote diagnostics system operates.<\/p>\n<p>As for the remote access itself, future firmware updates will make it <a href=\"https:\/\/www.theverge.com\/tech\/928289\/yarbo-remove-robot-lawn-mower-backdoor\" target=\"_blank\" rel=\"noopener nofollow\">strictly opt-in<\/a>. Users will be able to decide for themselves whether they even want the feature, installing it only if and when they actually need it.<\/p>\n<p>Yarbo has already rolled out <a href=\"https:\/\/forum.yarbo.com\/c\/yarbo-official\/updates-product-releases\/7\" target=\"_blank\" rel=\"noopener nofollow\">two software updates for its robots<\/a>, and we highly recommend that owners install them immediately. That said, it\u2019s still not entirely clear whether all of the security flaws have actually been ironed out.<\/p>\n<p>The broader takeaway for anyone with smart gadgets is that a high price tag is absolutely no guarantee of security. Even a machine that costs thousands of euros can turn out to be a potential spying tool or a wide-open gateway into your home network, rather than just a helpful chore-bot.<\/p>\n<p>That\u2019s why it pays to practice basic digital hygiene: install updates as soon as they drop; use strong, unique passwords for your home Wi-Fi networks \u2014 while saving them in a <a href=\"https:\/\/www.kaspersky.com\/password-manager?icid=gl_kdailyplacehold_acq_ona_smm__onl_b2c_kasperskydaily_wpplaceholder____kpm___\" target=\"_blank\" rel=\"noopener nofollow\">password manager<\/a>\u00a0\u2014 and <a href=\"https:\/\/www.kaspersky.com\/blog\/guest-wifi\/23843\/\" target=\"_blank\" rel=\"noopener nofollow\">segment your IoT devices away<\/a> from computers and other systems that hold sensitive data wherever possible. Besides, the <a href=\"https:\/\/support.kaspersky.com\/kaspersky-for-windows\/21.25\/138202\" target=\"_blank\" rel=\"noopener\">Smart Home Monitor<\/a> feature in our <a href=\"https:\/\/www.kaspersky.com\/premium?icid=gl_bb2023-kdplacehd_acq_ona_smm__onl_b2c_kdaily_lnk_sm-team___kprem___\" target=\"_blank\" rel=\"noopener nofollow\">security suite<\/a> will tip you off the second an unauthorized device tries to connect to your home network.<\/p>\n<blockquote><p>Curious about other high-profile smart home hacks? Read these Kaspersky Official Blog posts to find out:<\/p>\n<ul>\n<li><a href=\"https:\/\/www.kaspersky.com\/blog\/dashcam-hack-botnet-on-the-wheels\/54839\/\" target=\"_blank\" rel=\"noopener nofollow\"><strong>Botnets on wheels: the mass hacking of dashcams<\/strong><\/a><\/li>\n<li><a href=\"https:\/\/www.kaspersky.com\/blog\/how-to-hack-a-smart-mattress\/53232\/\" target=\"_blank\" rel=\"noopener nofollow\"><strong>Three ways to hack\u2026 a mattress!<\/strong><\/a><\/li>\n<li><a href=\"https:\/\/www.kaspersky.com\/blog\/how-to-hack-bicycles-shimano-di2-wireless-shifting-technology\/52026\/\" target=\"_blank\" rel=\"noopener nofollow\"><strong>How to hack a bicycle<\/strong><\/a><\/li>\n<li><a href=\"https:\/\/www.kaspersky.com\/blog\/hacked-card-shufflers\/54865\/\" target=\"_blank\" rel=\"noopener nofollow\"><strong>Lock, stock, and two smoking barrels: the DeckMate 2 shuffler hack<\/strong><\/a><\/li>\n<li><a href=\"https:\/\/www.kaspersky.com\/blog\/south-korea-120000-ip-cameras-hacked\/54961\/\" target=\"_blank\" rel=\"noopener nofollow\"><strong>Korean-style webcam breach: 120\u00a0000 IP cameras hacked<\/strong><\/a><\/li>\n<\/ul>\n<\/blockquote>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"premium-geek\">\n","protected":false},"excerpt":{"rendered":"<p>Yarbo smart mowers were found to have a built-in remote access loophole with identical passwords across all devices. A security researcher managed to completely hijack a mower, and could even force it to\u2026 run over its owner.<\/p>\n","protected":false},"author":2726,"featured_media":56068,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1789],"tags":[1934,1027,899,658,794,1695,1066,97,660,768,268,174,4420],"class_list":{"0":"post-56067","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-technology","8":"tag-cctv","9":"tag-connected-devices","10":"tag-hack","11":"tag-internet-of-things","12":"tag-iot","13":"tag-remote-access","14":"tag-robots","15":"tag-security-2","16":"tag-smart-home","17":"tag-surveillance","18":"tag-vulnerabilities","19":"tag-wi-fi","20":"tag-wiretapping"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/yarbo-robot-lawn-mower-hacked-2\/56067\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/yarbo-robot-lawn-mower-hacked-2\/30870\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/yarbo-robot-lawn-mower-hacked-2\/25907\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/yarbo-robot-lawn-mower-hacked-2\/30709\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/yarbo-robot-lawn-mower-hacked\/42208\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/yarbo-robot-lawn-mower-hacked\/30817\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/yarbo-robot-lawn-mower-hacked-2\/36375\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/yarbo-robot-lawn-mower-hacked-2\/36271\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/internet-of-things\/","name":"Internet of things"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/56067","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2726"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=56067"}],"version-history":[{"count":4,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/56067\/revisions"}],"predecessor-version":[{"id":56076,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/56067\/revisions\/56076"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/56068"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=56067"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=56067"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=56067"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}