Quick Facts
- Category: Robotics & IoT
- Published: 2026-05-12 09:39:41
- Building Amiable Digital Communities: Lessons from Vienna’s Intellectual Circles
- 7 Key Takeaways from Q1 2026 Vulnerability and Exploit Trends
- Family Reunion Demo Launches on Itch and Steam: A Chaotic Time-Attack Sim of Dinner Table Boredom
- 10 Groundbreaking Insights from Northern Sri Lanka's Oldest Confirmed Settlement
- How to Capitalize on AI-Driven Cloud Growth: A Step-by-Step Guide from Big Tech Earnings
Overview
In early 2025, security researchers uncovered a critical vulnerability in Yarbo’s robot lawn mowers: an intentional backdoor that allowed remote attackers to hijack the devices, access GPS coordinates, and expose user email addresses. The company initially downplayed the issue but has now committed to fully removing the backdoor and giving customers the choice to install the feature. This tutorial walks you through what happened, why it matters, and how you can ensure your mower is secure. You’ll learn about the vulnerability, the remediation steps Yarbo is taking, and practical actions you can take to protect your privacy and safety.
Prerequisites
Understanding the Vulnerability
The backdoor was a hidden internet‐accessible service that allowed anyone with the right tools—like security researcher Andreas Makris—to remotely reprogram the mower. This meant a bad actor could order the robot to run over obstacles, change its path, or even access stored credentials. The backdoor also leaked GPS coordinates and email addresses.
What You Need
- A Yarbo robot lawn mower (any model with internet connectivity)
- The Yarbo mobile app installed on your smartphone
- Internet access for firmware updates
- Basic familiarity with the app’s settings menu
If you haven’t yet set up Wi‑Fi on your mower, complete that first. This guide assumes you already have the mower paired and operational.
Step-by-Step Instructions
Step 1: Verify Current Firmware Version
In the Yarbo app, navigate to Settings > About Device. Note the firmware number. If it’s older than v3.8.2, you’ll need to update to benefit from the backdoor removal.
Step 2: Check for Available Updates
Go to Settings > System Update. Tap Check Now. If an update is available, download and install it. The update will remove the intentional backdoor completely.
Step 3: Opt Out of Remote Access (Post‑Update)
After the update, Yarbo introduced a toggle for the remote access feature. By default, it is turned off. To verify, navigate to Security > Remote Access. Ensure the switch is grayed out (disabled). If you want to keep it off (recommended), leave it disabled. If you ever need to use remote troubleshooting, you can turn it on temporarily, but Yarbo recommends keeping it off.
Step 4: Review Privacy Settings
Next, go to Privacy > Location Services. Ensure that GPS sharing is limited to “while using the app” or disabled entirely. The vulnerability exposed GPS data because it was shared even when the app was not active.
Step 5: Change Your Account Password
Since the backdoor could have exposed email addresses, change your Yarbo account password: Settings > Account > Change Password. Use a strong, unique password. Enable two‑factor authentication if available.
Step 6: Confirm No Intruders
Check the mower’s activity history: History > Recent Sessions. Look for any sessions from unknown IP addresses or times you were not operating the mower. If you find suspicious activity, contact Yarbo support immediately.
Step 7: Test the Backdoor Has Been Removed
For advanced users, you can verify the port that housed the backdoor is no longer open. Using a network scanning tool on your home Wi‑Fi (e.g., nmap), scan the mower’s IP address. The backdoor previously listened on TCP port 9999 and UDP port 9999. After the update, these ports should be closed. Example command: nmap -p 9999 <mower_IP> should show “filtered” or “closed”. If they are open, the update may not have applied correctly—re‑run the update.
Common Mistakes
Mistake 1: Skipping the Firmware Update
Some users postpone updates because they seem inconvenient. With this vulnerability, skipping the update leaves your mower exploitable. Always apply security patches promptly.
Mistake 2: Re‑enabling Remote Access Permanently
After the update, you can toggle remote access on. Only do this if you absolutely need it, and turn it off immediately after use. Leaving it on recreates a backdoor—though now it’s intentional and user‑controlled.
Mistake 3: Ignoring Privacy Settings
Even with the backdoor removed, leaving GPS sharing on broad might still leak location data if other vulnerabilities are found. Restrict GPS access to “while using the app”.
Mistake 4: Not Changing Passwords
Exposure of email addresses means your account could be targeted for credential stuffing. Always change your password after a security incident.
Summary
Yarbo has responded to the security researcher’s findings by removing the intentional backdoor and giving users control over remote access. Follow the steps in this guide to update your mower’s firmware, disable unnecessary remote access, adjust GPS permissions, and change your password. These actions will close the known vulnerability and reduce the risk of future exploits. Regularly check for firmware updates and stay informed about security advisories from Yarbo.
For further reading, see Prerequisites and Common Mistakes.