Yarbo Confirms Researcher’s Security Findings, Shuts Down Remote Access and Begins Firmware Update

Yarbo has confirmed serious vulnerabilities in its robot lawn mowers' remote diagnostic, credential management and data-handling systems and has temporarily cut off remote access to the devices. The company issued a 1,200-word public response on May 8, 2026, written directly by co-founder Kenneth Kohlmann.

It confirms the findings in a detailed security report published May 7, 2026, by researcher Andreas Makris.

The Verge reported that the flaws exposed people's GPS coordinates, Wi-Fi passwords, email addresses and more, and that thousands of the Chinese-made bladed robots could be hijacked with ease. Root passwords were the same for every single robot and were left in easy places for hackers to find, The Verge reported.

Yarbo previously claimed that its remote access was only available to authorized employees, but that was not the case.

"In the future, each device will use its own independent credentials to prevent one affected device from impacting the entire fleet," Yarbo stated. The company said it will maintain a remote backdoor into its robots limited to authorized internal company personnel, usable only after user authorization and subject to audit logging.

Yarbo's first wave of security updates is expected to begin rolling out within one week of May 8, 2026.

A security firmware update is being pushed to all Yarbo devices. Users must connect their devices to the internet to receive it, though they may return to preferred network settings afterward or remain offline without affecting warranty or service coverage. Historical servers and legacy access channels will continue to be phased out one by one.

Yarbo is accelerating OTA security updates and additional server-side protections. The issues primarily relate to historical design choices in parts of Yarbo’s remote diagnostic, access management and data handling systems, Kenneth Kohlmann stated. Certain legacy support and maintenance capabilities did not provide users with sufficient visibility or control.

Some authentication and credential management mechanisms did not meet the security standards expected for today’s products. Some findings involve historical infrastructure, legacy cloud services, dealer-specific customizations or internal test configurations. The FRP client may restart through scheduled tasks or service recovery mechanisms, according to Andreas Makris' report.

File monitoring behavior can restore certain deleted files or services. Yarbo is strengthening access control standards, improving authentication and authorization models, and increasing user visibility and control over remote diagnostic features. Yarbo has initiated direct communication with Andreas Makris and established a dedicated security response center.

The researcher said the company has assured him that these fixes are their highest priority. com.

The company is exploring the possibility of establishing a formal bug bounty program. Yarbo sincerely apologizes for the impact this situation has created, Kenneth Kohlmann stated. Andreas Makris is the security researcher who discovered the vulnerabilities.

Sean Hollister published an article on The Verge dated May 8, 2026, at 7:14 PM UTC detailing Yarbo’s response. The Verge previously reported that thousands of Yarbo robot lawn mowers could be hijacked with ease. Yarbo’s full update to customers was written directly by Kenneth Kohlmann.

The company said its engineering, product, legal and customer support teams are treating remediation as the highest priority. It committed to expanding internal security review, remediation and governance processes for stronger long-term practices.