Security Concerns with Yarbo Robotic Mowers

A recent independent security report has highlighted vulnerabilities in Yarbo robots, which include robotic lawn mowers and snow blowers. According to security researcher Andreas Makris, these robots have serious flaws that could enable remote access, live camera viewing, and theft of Wi-Fi credentials. Approximately 6,000 units are reportedly affected by these issues.

Yarbo responded to the findings on its website, acknowledging the vulnerabilities and stating they are working on security improvements. The report raises significant concerns about the level of access these devices might have within home networks.

Security Risks Identified

The report outlines that Yarbo robots are shipped with a persistent remote access setup. This setup uses a tunnel to connect to the internet, allowing potentially unauthorized access. The robots have a hardcoded root password shared among all units, and a remote connection tied to the serial number. ‘Root’ access grants significant control over the device, similar to administrative authority, which could pose security risks if accessed improperly.

This remote tunnel can operate autonomously, restarting if interrupted and returning if removed, which owners might not control via their apps. This built-in remote access is meant for diagnostics and support but introduces risks if exploited by attackers.

Potential Impact on Home Networks

Smart devices generally require internet connections. They depend on this for app controls, updates, diagnostics, and support. However, the report suggests that Yarbo’s setup inherently includes remote access. This could allow attackers to infiltrate the robot and use it as a gateway into the owner’s network.

The concern extends to camera access. If someone gains root access through the remote tunnel, they could view camera feeds, seeing areas like driveways or gardens. This level of surveillance needs as much consideration as indoor cameras.

Response from Yarbo

After the report’s release, Yarbo admitted the core findings were correct, pointing to historical design decisions as part of the issue. They have begun addressing these concerns by removing shared credentials and disabling certain remote-access paths. Updates to the Yarbo app aim to eliminate static credentials and unnecessary network configurations.

Yarbo plans to upgrade its credential management system to use individual device credentials, allowing for unique access controls. These changes reflect a broader remediation effort following the report’s release.

Privacy and Data Connection Issues

The report also made connections to Hanyangtech, Yarbo’s parent company in China, ByteDance Feishu, Tencent TDMQ, and Chinese DNS resolvers. Some telemetry data is sent to ByteDance, raising questions about where data goes and who has access.

Transparency is key. Homeowners should understand where their device sends data and ensure such connections are essential.

Recommendations for Yarbo Owners

• Place the robot on a guest network separate from main devices like laptops and phones.
• Change your Wi-Fi password if concerned about exposure, using a strong and unique password stored in a password manager.
• Regularly check your router for unfamiliar connected devices, removing any you do not recognize.
• Use router settings to isolate guest devices, preventing malicious access.
• Contact Yarbo with specific security questions, ensuring all remote diagnostics are secure.
• Keep the device updated through isolated network connections to ensure security without compromising other devices.

Owners should treat these devices with the same scrutiny as other connected systems, understanding the potential risks involved. For further information and updates, visit Yarbo’s Security Center.