Security Flaws in Yarbo Robot Mowers Expose User Data

A security researcher demonstrated that Yarbo robot lawn mowers possess critical vulnerabilities that allow strangers to hijack devices and steal personal data.

This discovery highlights the growing risks associated with high-cost internet-of-things (IoT) devices in residential areas. As automated machinery gains more autonomy and access to home networks, security gaps can transform a luxury convenience into a physical and digital liability.

The Yarbo robot mowers, which cost $5,000 ^[1], broadcast device information that can be intercepted. The researcher said these vulnerabilities allow an unauthorized user to reveal the GPS coordinates of the device and stream live camera footage from the mower's perspective ^[1].

Beyond surveillance, the flaws expose sensitive account details. The researcher said the devices can be manipulated to reveal the email addresses, and Wi-Fi passwords of the owners ^[1]. This creates a secondary risk, as an attacker could use the stolen Wi-Fi credentials to access other devices on the home network.

Physical control of the machinery is also a concern. The demonstration showed that the mowers can be remotely driven away from their designated areas ^[1]. Because the devices broadcast their location and identity, anyone with basic technical knowledge could potentially locate and seize a mower.

The researcher said the security design of the mowers is weak ^[1]. This lack of robust encryption and authentication means that the hardware does not sufficiently protect the privacy of the users who purchase them.