Attack Of The Killer Lawnmowers: Security Flaw Let Hackers Control These Landscaping Robots

A hacker in Germany was stunned to find he had complete control of a robotic lawnmower. Weighing over 200 pounds and equipped with cameras to navigate, Wi-Fi and 4G to connect to the Internet, and blades capable of pulverizing a human body, the Yarbo Lawn Mower has immense destructive potential for a hacker to abuse. And yet, Andreas Makris had gained total control over every active Yarbo robot across the globe with little effort.

Thankfully, Makris had no plans to dominate the world with his newfound army of killer robots. He's a security researcher who spends his days probing for vulnerabilities in tech, and even he was shocked at how easy it was to gain access to all of Yarbo's $5,000 yard care robots. As it turns out, each Yarbo robot has the same password for root access, meaning that once he was able to hack one of them, he could hack the entire fleet, and from there, access customer data (including video) for mowers across the globe. At first, he contacted Yarbo, as is protocol for cybersecurity researchers when a vulnerability of this magnitude is discovered. But instead of thanking him, Yarbo's response was to downplay the situation, telling Makris the flaw was a deliberate design decision intended to "provide timely and accurate solutions to mechanical or software concerns..." So Makris took the drastic step of informing a reporter at The Verge, which worked with him to confirm and publicize the vulnerability.

With control of a Yarbo Lawn Mower, Makris can enlist the robots into a botnet to conduct illegal activity through an owner's own network. He can find an owner's GPS coordinates, emails, and even their Wi-Fi password. And that's only scratching the surface. The biggest mistake you can make with smart lawn mowers might be buying from Yarbo.

In his own security research published to GitHub, Makris notes that each Yarbo robot is running a full instance of Linux, for which the root password is identical on every model. There is no opt-out, nor can a user permanently change the password, since it resets to the universal code with every update. Even more strangely, he found that Yarbo's telemetry is routed to ByteDance, the Chinese owner of TikTok. The Verge found that, despite being listed as headquartered in New York, Yarbo appears to actually operate out of Shenzhen, China. This discovery is a chilling reminder to look out for warning signs your smart home has been hacked.

The Verge confirmed Makris's alarming claims by visiting some of the Yarbo owners he had tracked down. One man, a retired network architect for Microsoft, thought he had covered his bases by using a separate guest network with custom filtering for the bladed bot, but even he was a bit frazzled to find a reporter on his doorstep, led there by the machine that keeps his grass in check. But Makris was also able to locate three Yarbo robots not too far from a crucial power plant, one of which appears to belong to a nuclear security analyst.

Yarbo eventually took steps to repair some in-app vulnerabilities, but the most serious concerns are related to on-device firmware, which has not been patched. It's a stark reminder that every device connected to your network is a potential threat vector, and that not every company making those devices can be trusted to have your safety in mind. There are ways to make your smart home more secure, but it's worth thinking twice before connecting a blade-wielding robot to your home network.