Robot mowers like the Yarbo promise to make yard maintenance easier by automating tasks such as mowing the lawn and clearing snow. However, a recent report by security researcher Andreas Makris revealed significant vulnerabilities in Yarbo devices.
Security Flaws in Yarbo Devices
Makris found that these smart yard tools, including lawn mowers and snow blowers, contain flaws that enable remote access, live camera viewing, and Wi-Fi credential theft. An estimated 6,000 Yarbo robots are affected, putting owners at risk.
The report highlights that Yarbo devices come with preset remote access and hardcoded root passwords shared fleet-wide. “Root” access allows for deep control over the device, comparable to administrator-level access. This setup could allow malicious users to remotely control the robot and access its systems.
Potential Risks for Home Networks
Smart devices require internet access for optimal functionality, such as app controls, software updates, diagnostics, and support. However, Makris argues that Yarbo’s remote access setup heightens security risks. He claims that remote access is enabled by default rather than being activated upon request, making the devices potentially vulnerable to attackers. A compromised robot could serve as an entry point to your home network.
Camera and Wi-Fi Concerns
Additional concerns involve camera access. Makris reports that if someone gains root access via the remote tunnel, they might view live feeds from the robot’s cameras. Areas in and around homes, like driveways and backyards, could be monitored without the owner knowing.
Moreover, attackers could retrieve saved Wi-Fi credentials, exposing the home network and connected devices to unauthorized access.
Yarbo’s Response and Security Measures
Following the report, Yarbo acknowledged the vulnerabilities and is working on solutions. The company retired historical fleet-level root credentials, revoked shared remote-access credentials, and disabled related server-side connections.
Newer app versions do not contain static credentials, and Yarbo is overhauling its credential management system by transitioning to device-specific credentials that support independent rotation and revocation.
Data Connection Concerns
The report also raises issues regarding data connections involving Yarbo’s parent company, Hanyangtech, and firms like ByteDance Feishu and Tencent TDMQ. Transparency about data connections is crucial, especially for devices with cameras and network access.
Recommendations for Yarbo Owners
- Use a guest network or a separate smart-device network to limit access.
- If concerned about exposure, change your main Wi-Fi password and reconnect only trusted devices.
- Regularly check your router for unknown devices and remove any you do not recognize.
- Ask Yarbo for specific details about remote access and device credentials.
- Ensure your device receives security updates while connected to a safe network.
Key Takeaways
Yarbo’s situation underscores the importance of transparency and security in smart devices. Owners need clarity on who may access their devices and the ability to control remote access.
For those considering smart yard devices, prioritize security inquiries over features like battery life during your purchasing decision.