Yarbo Robot Mower Flaw Exposes Home Networks to Remote Attacks

A new security report from researcher Andreas Makris reveals that Yarbo robots-including autonomous lawn mowers and snow blowers-contain serious vulnerabilities that could allow attackers remote access to the device, view live camera feeds, and steal Wi-Fi credentials. Approximately 6,000 robots are affected.

Makris found that Yarbo robots ship with a persistent remote access setup using a tunnel, a hardcoded root password shared across the fleet, and a remote connection method tied to the robot's serial number. The remote tunnel runs automatically and can restart itself if stopped.

An attacker with root access could potentially view the robot's surroundings through its multiple cameras and retrieve saved Wi-Fi credentials, which could compromise the entire home network.

Yarbo has acknowledged the findings, stating that core technical issues are accurate. The company says it has retired historical fleet-level root credentials, revoked shared FRP remote-access credentials, and disabled related server-side paths. However, Yarbo admits more work remains, including rebuilding its credential management system to use per-device credentials.

The report also raises privacy concerns over data connections to ByteDance Feishu, Tencent TDMQ, and Chinese DNS resolvers. Yarbo says it has removed reporting scripts and non-essential network configurations.

Security experts recommend placing the robot on a guest network, changing Wi-Fi passwords, and keeping the device updated. Yarbo says security updates are pushed automatically.