Yarbo’s robot mower hack: Company rolls out fixes after security crisis

Earlier this week, a security researcher demonstrated how thousands of Yarbo robot lawn mowers—popular smart yard devices made in China—could be hijacked remotely with minimal effort. The vulnerabilities included unauthorized access to live camera feeds, GPS tracking, and even the ability to command the mower to move, potentially putting owners in danger.

Now, Yarbo has responded with a detailed 1,200-word security update acknowledging the findings, issuing a public apology, and outlining a multi-step plan to address the issues. The company confirmed that remote diagnostic access—which was exploited in the reported hacks—has already been temporarily disabled while engineers roll out security patches.

What went wrong with Yarbo’s robot mowers?

Independent security researchers discovered that multiple Yarbo models connected to the internet via MQTT, a lightweight messaging protocol commonly used in IoT devices. This setup allowed attackers to intercept and manipulate communications between the mowers and Yarbo’s cloud servers. Among the exposed data were:

• Real-time GPS coordinates of mowers and their owners
• Wi-Fi network credentials used to connect the devices
• Email addresses tied to user accounts
• Live camera feeds from the mower’s onboard camera

The most alarming capability was the ability to remotely control the mower’s movement, including sending it into areas where it could pose a physical threat. While no injuries were reported, the potential for misuse was significant.

Yarbo’s immediate response and security roadmap

In its official statement, Yarbo admitted that the vulnerabilities stemmed from design choices that prioritized ease of remote diagnostics over security. The company outlined several urgent actions already in progress:

• Disabling remote diagnostic access: Yarbo confirmed that remote access to individual devices has been cut off until further notice. This includes the MQTT-based system used for cloud diagnostics.

• Overhauling authentication protocols: New, stronger encryption and authentication mechanisms will be implemented to prevent unauthorized access. Engineers are reviewing every data stream and connection point.

• Rolling out firmware updates: All affected mowers will receive mandatory security patches. Users are advised to update as soon as possible through Yarbo’s official app.

• Improving transparency: Yarbo pledged to publish regular security bulletins and invite third-party audits to rebuild trust. The company also announced the creation of a dedicated security advisory board.

What should robot mower owners do now?

While Yarbo’s response addresses the core issues, owners should take immediate precautions to protect their devices and data:

• Update the firmware: Check the Yarbo app or manufacturer’s website for the latest security update. Do not rely on automatic updates alone.

• Change Wi-Fi passwords: Since Wi-Fi credentials were exposed, rotate your network password and enable WPA3 encryption if supported.

• Disable unnecessary features: Turn off remote access and camera streaming when not in use.

• Monitor accounts: Watch for suspicious activity in your Yarbo account and email for any signs of unauthorized access.

The company has not yet announced a timeline for full restoration of remote diagnostics, but it emphasized that security is now the top priority. Yarbo also stated it will reimburse users for any costs related to the incident.

As smart home devices increasingly integrate AI and automation, incidents like this highlight the need for robust security-by-design principles. Yarbo’s swift response may set a new standard for accountability in the consumer robotics industry.