Yarbo Outlines Comprehensive Security Fixes After Researcher Report

Yarbo has confirmed the findings of a detailed security report published by researcher Andreas Makris on May 7, 2026, and outlined an extensive remediation plan in a 1,200-word public response released the following day. Sean Hollister published an article about the Yarbo robot mower security vulnerabilities on May 8, 2026 at 7:14 PM UTC.

The Verge previously reported that thousands of Yarbo robot lawn mowers could be hijacked, exposing GPS coordinates, Wi-Fi passwords, email addresses and more.

Yarbo’s response was written by Kenneth Kohlmann, co-founder of Yarbo, and addressed directly to customers. “In the future, each device will use its own independent credentials to prevent one affected device from impacting the entire fleet,” Yarbo writes. The company has already taken several immediate steps.

It temporarily disabled the relevant remote diagnostic tunnels. It completed a reset of device root passwords to block the shared-credential risk and closed or restricted certain unauthenticated status-query and reporting endpoints. Yarbo has begun reducing unnecessary legacy access paths and tightening backend permissions.

It is using OTA updates to advance credential rotation and device-level independent credential mechanisms. A security firmware update is being pushed to all Yarbo devices. Yarbo advised customers to connect their device to the internet to receive the security firmware update and then return to preferred network settings.

The company stated that keeping a device offline will not affect warranty or service coverage. In its ongoing work, Yarbo is implementing an allowlist-based, user-authorized, and auditable remote diagnostic model with the first phase expected within one week.

Remote diagnostic access will be limited to authorized internal company personnel, may only be used after user authorization, and will be gradually brought under audit logging, Yarbo stated through Kenneth Kohlmann.

The company is building and testing a robot credential management service so that device passwords are no longer hardcoded in firmware, scripts or databases. Credentials will be dynamically derived based on device identity. Yarbo is hardening other authentication services with fixes in testing stage to be released through OTA updates.

Yarbo is adjusting topic permissions to reduce fleet-level shared access and limit the scope of each credential. It is testing cleanup measures including removing unnecessary reporting scripts, legacy cloud service dependencies, third-party agents and non-essential DNS fallback configurations.

The company is accelerating OTA security updates and additional server-side protections with the first wave expected to begin rolling out within one week.

Com. It is exploring the possibility of establishing a formal bug bounty program. Andreas Makris, the security researcher who discovered the Yarbo vulnerabilities, stated that Yarbo assured him the fixes are their highest priority.

Yarbo initiated direct communication with Andreas Makris and established a dedicated security response center. Kohlmann acknowledged that the issues primarily relate to historical design choices in remote diagnostic, access management and data-handling systems.

He apologized for the impact on customers and said the company’s engineering, product, legal and customer support teams are treating remediation as the highest priority.

The Verge reported that Yarbo’s statement tries to frame many of the problems as tied to “historical” or “legacy” services. Makris has not yet been able to verify whether his previous access methods remain possible after the company’s initial changes.

Yarbo’s response also addresses specific points in Makris’s report, including FRP Auto-Restart and Persistence mechanisms as well as file monitoring and self-recovery features.

The company said it is reviewing which components should be removed, simplified or placed under user control while distinguishing findings that apply to currently shipped production units from those involving historical infrastructure or test configurations.

The company said its remediation effort is not limited to a single fix or software update. It is using the process to strengthen long-term security architecture, governance standards, access control, authentication models, user visibility and reduction of unnecessary legacy support mechanisms.