Security Researcher Demonstrates Remote Takeover of Yarbo Robot Lawn Mowers

A security researcher remotely took control of a 200-pound Yarbo robot lawn mower while it was operating in upstate New York and drove it over a person lying in its path to demonstrate security vulnerabilities. The researcher, Andreas Makris, was nearly 6,000 miles away and unable to physically reach the emergency stop button.

The demonstration occurred on May 7, 2026. The Verge reported that Makris had gained access to approximately 5,400 Yarbo devices in the United States and Europe, and was tracking more than 11,000 worldwide. " The robots, which use tank treads and modular attachments for mowing, trimming, leaf blowing, snow blowing and edging, run on a full Linux operating system.

The researcher found that access to one Yarbo robot grants access to all of them. He displayed a map showing locations of the devices and then took control of one that was actively mowing a field near a white house. Using an onscreen joystick, he directed its movement and camera while observing its live video feed.

Makris identified 12 Yarbo robots located within three kilometers of a major power plant. One of those robots appeared to be registered to a nuclear security analyst. He also extracted owners' email addresses, Wi-Fi passwords and exact GPS coordinates of their homes.

Four days after the initial demonstration, a reporter visited addresses provided by the hacked robots in the Silicon Valley foothills. At the first location, a Yarbo robot was found in the backyard exactly where the data indicated. The homeowner, Wayne Yu, confirmed that the email address and Wi-Fi passwords obtained by Makris belonged to him.

Yu, who purchased the robot to mow his steep hillside yard, said he was not surprised that devices can be hacked but expressed discomfort that a researcher halfway across the planet had obtained his personal information and led a reporter to his door.

"Not good. Not good," he repeated. Retired network architect Matt Petach, another Yarbo owner who was visited, was less surprised. He noted that his Wi-Fi password came from an isolated guest network set to reject unknown devices. Petach compared poorly secured gadgets to "a chainsaw without a handguard" and said users should treat such devices as hostile agents.

Makris reported that each Yarbo robot has the same hardcoded root password. Owners cannot permanently change it because firmware updates from the manufacturer reset the password to the default. The company also maintains a remote-access backdoor that is deployed automatically to every robot, cannot be disabled by the owner, and is restored if removed.

The vulnerabilities allow a hacker to override safety features, including the emergency stop button, spin up blades, probe home networks or incorporate the robots into botnets. Yarbo was founded in 2015 initially as a robot snowblower company. The company sent emails to Makris attempting to assure him that the remote backdoor cannot be abused.

Makris published his research on the same day as the demonstration, an action security researchers generally avoid.

“I can do whatever I want with all the bots. It’s completely unsecured.”