Forget robotic vacuums—Yarbo’s bladed robots pose an even greater security threat.
I’m lying on the ground as it approaches. It could drive its blades over me if Andreas Makris (who hacked it from nearly 6,000 miles away) doesn’t halt the 200-pound robot lawn mower in time. Makris has exposed Yarbo’s robot lawn mowers’ massive security flaws, and I’ve chosen to lie in its path to witness his control. By the time the mower reaches me, Makris has already demonstrated his control. These $5,000 devices are easily hackable by foreign operatives. Thousands of Yarbo robots worldwide now theoretically answer to him.
“I can do whatever I want with the bots,” Makris says. “It’s completely unsecured.”
Following in Sammy Azdoufal’s footsteps—who turned DJI Romo robot vacuums to his command—Makris shows how Yarbo’s robots are similarly vulnerable. Any user with access to one can control them all.
And these are bladed robots. Hackers can override safety features with built-in commands. Even if you hit the emergency stop, hackers can reactivate it, Makris claims.
Because these are full Linux computers with unchangeable root passwords, hackers can reprogram them remotely, spin blades, infiltrate your home network, or use them in botnet attacks.
Founded in 2015, Yarbo sells multifunction yard robots, including mowers, blowers, and trimmers—all moved by the same core robot, making them all potentially hackable.
Makris showcases a map pinpointing every Yarbo in the US and Europe, about 5,400 devices. He connects to a robot in upstate New York, controlling its camera and movement remotely. This control could also be used to spy or track military operations, as 12 Yarbo devices are located within 3 km of a major power plant, including one seemingly owned by a nuclear security analyst.
Additionally, Makris can extract owners’ emails, Wi-Fi passwords, and GPS coordinates of their homes. I verify his access by visiting properties where these robots were detected.
Wayne Yu, one owner, wasn’t fretted by this, accepting hacking as commonplace but feeling uneasy about hackers accessing his personal details. Similarly, Matt Petach, a former network architect, was unbothered, having treated it as a hostile entity.
Petach, however, was surprised by Yarbo’s practices—root passwords that default back upon updates, maintaining open backdoors. Makris has published his findings, despite common practice, to expose Yarbo’s poor security.
Yarbo claims headquarters in New York, but its listed location reveals a shared lowrise building. It’s actually Shenzhen-based Hanyang Tech.
Facing critique, Yarbo promises some improvements, but its statement suggests a lack of accountability. Makris, encountering resistance when notifying Yarbo of issues, believes public awareness is essential to drive change: “It’s the right thing to do, warning people that this bad design goes unchallenged.”
Yarbo’s credibility is questioned further by its interaction with reviewers and journalists, requesting non-disparagement agreements or only neutral reviews—issues our publication declined.
Despite Yarbo’s public response to security concerns, I test safety mechanisms in a controlled setting. I lay under the mower to see its hazard responses. Though the blades were off and it reversed, the heavy machine pinned me, exemplifying compromising gadget connectivity’s risks.
It’s alarming how easily such devices can impact personal safety and privacy, underscoring the need for rigorous device security in our connected world.