Facepalm: Internet-of-things devices such as cameras, doorbells, robot vacuums, and other connected household products carry well-documented security risks, but Yarbo's lawnmowers represent one of the most egregious examples in recent memory. Every unit sold worldwide is effectively a backdoor into the owner's Wi-Fi network, and there appears to be little users can do about it.
Security researcher Andreas Makris recently outlined exploits that could allow hackers to hijack thousands of Yarbo lawnmowers sold across more than 30 countries. According to Makris, all units ship with a preinstalled backdoor capable of exposing owners' private information, and the vulnerability cannot currently be disabled.
Yarbo sells internet-connected robots that support attachments for mowing lawns, blowing leaves, shoveling snow, and performing other outdoor tasks. Like many IoT devices, they can be controlled remotely through mobile apps and include cameras used to map the properties where they operate. Remote access also requires transmitting data through the manufacturer's servers.
However, Makris discovered that each unit contains a backdoor that allows Yarbo engineers to receive telemetry data and GPS coordinates from every network-connected unit running recent firmware. After gaining access to the company's backend, the researcher was able to view information from around 11,000 devices, including roughly 5,000 located in the US.
Similar to an incident in February, when Sammy Azdoufal reportedly hijacked over 10,000 DJI IoT devices, Makris was able to remotely control Yarbo robots and access their camera feeds using only serial numbers and no additional login credentials. He could even restart a unit while the owner activated the emergency shutdown, or potentially operate a bladed lawnmower in a dangerous manner.
But it gets worse: each Yarbo robot is, in effect, an Arm Linux computer with the same root password across all units, granting attackers full control over the operating system. Even if a user changes the password or removes the backdoor, a subsequent firmware update restores the default credentials and any missing files.
The OS also displays the user's Wi-Fi password in clear text, potentially turning each robot into a beachhead for attacks on other connected devices. The implications for private owners are concerning enough, but Makris also found Yarbo units deployed at businesses, university campuses, and government buildings. The Verge reports that he also identified 12 robots within 3 km of a major nuclear power plant, one of which may be owned by a nuclear security analyst.
Normally, a security researcher would notify the manufacturer privately and allow time for remediation before going public. However, Yarbo's dismissive responses reportedly convinced Makris that the issues would only be taken seriously if he published his findings.
The company's attempts to obscure its origins are another concern. While Yarbo is officially headquartered in New York, the Android app package identifier lists Shenzhen-based Hanyangtech as its parent company. Each Yarbo unit's telemetry also reportedly routes through ByteDance servers.
What Makris discovered highlights the same category of concerns that led to DJI devices being restricted in the US, but Yarbo's robots present a potentially broader risk, with thousands already operating domestically. Yarbo later told The Verge that it is investigating the issues and has developed fixes for some of them.