Yarbo Yard Robots Found Riddled with Hardcoded Passwords and Backdoor Tunnels, Allowing Remote Hijacking
Security researcher Andreas Makris discovered that thousands of Yarbo yard robots share hardcoded root passwords and root passwords and open remote tunnels, enabling attackers to steal Wi-Fi credentials, GPS data, and even bypass emergency stops.
Security researcher Andreas Makris has uncovered a cluster of critical vulnerabilities in Yarbo yard robots that allow remote attackers to hijack thousands of devices worldwide. The flaws, which include hardcoded root passwords, persistently open remote diagnostic tunnels, and weakly protected MQTT messaging, effectively give anyone who compromises one robot access to the entire fleet. Makris demonstrated the severity by having his own mower run him over after remotely re-arming it.
The root cause stems from legacy design choices: every Yarbo robot ships with the same hardcoded root password, and remote tunnels are left open by default, creating a persistent backdoor that users cannot see or control. The MQTT messaging system is so weakly protected that once an attacker gains access to one device, they can extract GPS coordinates, email addresses, and Wi-Fi passwords from the entire fleet. Attackers can also turn the robot's camera into a remote spying tool and bypass the emergency stop mechanism, turning a heavy mower with remotely controllable blades into a real-world safety hazard.
The risks fall into three categories: physical safety (a mower that can be re-armed after emergency stop), privacy exposure (mapping device locations and viewing camera feeds), and network abuse (compromised robots scanning local networks, stealing data, or joining botnets). The vulnerabilities present a live-action demonstration of what the IoT Cybersecurity Improvement Act aims to prevent in US government deployments, though the Act does not apply to Yarbo directly.
Yarbo's public response has been unusually detailed and transparent for a consumer IoT vendor. The company acknowledged the researcher's findings as accurate, temporarily disabled the remote diagnostic tunnels, reset root passwords, locked down unauthenticated endpoints, and began removing unnecessary legacy access paths. More importantly, Yarbo has promised structural changes: unique per-device credentials, over-the-air credential rotation, audited allowlist-based remote diagnostics, and a dedicated security contact with a possible bug bounty program.
From a disclosure and remediation standpoint, Yarbo is doing many things right: crediting the researcher, apologizing, prioritizing fixes, and explaining both short-term patches and long-term architectural changes in plain language. However, the company has chosen to keep a remote access tunnel, albeit with better controls and logging, rather than offering users the option to remove or fully opt out ofully opt out of it.
For buyers of connected devices with blades, this case underscores the importance of IoT security hygiene. Users should change default credentials immediately, check whether vendors provide updates and how easily they can be installed, and put IoT devices on a separate network using a guest Wi-Fi or VLAN. Disabling unnecessary services like UPnP, remote access, and cloud control can also reduce risk. Monitoring router or security suite logs for odd spikes or unknown destinations can help detect compromise.
The Yarbo case highlights a broader pattern in IoT security: vendors often prioritize convenience and remote diagnostics over security, leaving consumers exposed. While Yarbo's response sets a positive precedent for transparency, the underlying vulnerabilities demonstrate why the IoT Cybersecurity Improvement Act's NIST-driven requirements—such as unique credentials and secure remote access—are critical for all connected devices, not just government ones.