Breaking
Atef Najib faces at least ten charges in landmark Syria trialNew Zealand olive sector stays confident after Wairarapa producer's closureChina hands suspended death sentences to former defence ministersSouth Africa condemns 'fake' xenophobia videos as Ghana calls for AU missionAtef Najib faces at least ten charges in landmark Syria trialNew Zealand olive sector stays confident after Wairarapa producer's closureChina hands suspended death sentences to former defence ministersSouth Africa condemns 'fake' xenophobia videos as Ghana calls for AU mission
Vesper
ENESFRTR
Log inSign up
Charts
Articles:SportsHealthHistoryTech
Markets
EUR/USD1.1773 0.11%GBP/USD1.3616 0.04%USD/JPY156.66 0.07%USD/CHF0.7774 0.14%AUD/USD0.7243 0.13%USD/CAD1.3669 0.08%USD/CNY6.8159 0.22%USD/INR94.48 0.01%USD/BRL4.9175 0.07%USD/ZAR16.39 0.20%USD/TRY45.37 0.01%Gold$4,715.70BTC$81,063 0.70%ETH$2,340 1.12%SOL$94.49 1.79%
Tech

Yarbo issues a 1,200-word security plan after researchers showed its robot mowers can be hijacked

The Verge8 h ago
ShareXWhatsAppTelegramLinkedIn
Robot lawn mower on a grass garden
Photo: Magic K / Pexels

Chinese robot lawn mower maker Yarbo has issued a 1,200-word response acknowledging serious security flaws in its devices, following a Verge story last week in which a security researcher demonstrated that the machines could be hijacked, exposing user data — GPS coordinates, Wi-Fi passwords, email addresses — and the machines themselves. The company has acknowledged the vulnerabilities, temporarily disabled remote access, and laid out a permanent remediation plan.

The security research was conducted by independent researcher Mike Walters. Walters showed that he could control any Yarbo robot mower he did not own, knowing only the last six characters of the device's MAC address and the first four digits of its serial number. Both pieces of information are visible on a small label on every Yarbo unit and can also be obtained remotely through a Yarbo dealer search. Walters used the vulnerability to demonstrate the attack: he commandeered a robot mower, drove it around its owner's garden, and even drove it across a Verge reporter's path.

Yarbo's statement said: "We have comprehensively verified Mike Walters' findings. The vulnerabilities he describes existed exactly as described — our remote access system was not using sufficient security layers for customer authentication." The company formally thanked Walters for his findings and announced that a $5,000 independent security research bounty would launch in the coming months.

The seriousness of the flaws is amplified because robot lawn mowers can be physically dangerous. Yarbo's L20 and L25 models are about the size of a medium dog — roughly 25 kg — and equipped with rotating sharp blades. A hacker could drive these into a neighbouring property rather than the owner's; they could pose a hazard to people, pets or small children. The reporter's having stood in the path of the mower during Walters's demo served as a comprehensive warning of that physical risk.

Yarbo's announced plan has five main components. First, remote access has been disabled completely on a temporary basis; owned devices currently work only on local Wi-Fi, with a new authentication protocol on top. That means customers lose meaningful elements of the app's functionality — for instance remote control while on holiday — but Yarbo says it prefers that loss until the fix is complete.

Second, MAC-address-plus-serial-number-based authentication has been removed altogether and replaced with an end-to-end encrypted, one-time-key system. Third, a mandatory firmware update is being pushed to all existing devices; the update also fixes seven additional security flaws Yarbo has separately disclosed. Fourth, Yarbo's cloud infrastructure is being completely rearchitected; the leaking storage bucket Walters discovered has been removed and the new architecture is being audited by AWS's dedicated security reviewers.

Fifth, Yarbo will appoint a third-party security audit firm — most likely Bishop Fox or Trail of Bits — and share the results publicly within the next several months. That sets a precedent for other robot lawn mower manufacturers (Robomow, Worx, Husqvarna, Toro), because while Walters's research was specific to Yarbo, it shows that the security quality of the sector is now ready for closer scrutiny.

A note that has caught the attention of security researchers: the architecture of Yarbo's vulnerabilities follows classic IoT (Internet of Things) bug archetypes. "Using static authentication credentials — that is, identity verification through static identifiers such as MAC addresses — is a design flaw identified in IoT devices since the early 2010s," said Professor Daniel Weitzner of MIT's Internet Policy Research Initiative. "That Yarbo is doing this in 2026 indicates the sector has yet to integrate adequately the basics of security."

The US regulatory framework for physically dangerous IoT devices (robot mowers, robot vacuums, smart door locks) is developing. The "US Cyber Trust Mark" programme, run by the Consumer Technology Institute (CTIA), launched in late 2025; it is a voluntary label scheme indicating that devices meet baseline security standards. Yarbo had not applied for the label. After Walters's research, Yarbo said it would apply for the programme and aim to earn the label by the end of 2026.

Yarbo's financial impact is not yet clear. The company is privately held and exports to the US market from its main office in China. About 12,000 devices have been sold in the United States; those units are currently receiving the mandatory firmware update. According to the Verge reporter, order volumes at Yarbo's US distributor dropped 35 per cent in recent weeks. The company closed its statement: "We will do everything to regain our customers' trust. The vulnerabilities are an instructive mistake for us and a warning for the rest of the sector."

This article is an AI-curated summary based on The Verge. The illustration is a stock photo by Magic K from Pexels.