It’s the stuff of nightmares for owners of billions of increasingly connected household devices – but a German hacker is making headlines after sharing how a poorly designed remote access security enabled him to take control of over 11,000 robotic lawnmowers in Australia and around the world.
Just like a robot vacuum cleaner cleans a home, the Wi-Fi connected maintenance devices – which are sold by Yarbo and cost over $7,000 each – automatically map yards and fields, and have a modular design that lets them mow lawns, blow leaves, and clear snow.
They are built on a Linux kernel and include a remote access capability that allows engineers to remotely log onto the devices for diagnostics and upgrades – but, as German hacker Andreas Makris recently showed, the design has a major flaw: every unit has the same root password.
Even worse, if owners change the password it is reset at the next firmware update – guaranteeing that Makris could not only access Yarbo devices around the world, but view the feed through its camera, drive the devices around their owners’ yards, and use their GPS to access their location.
Given that Yarbos have blades that are rapidly spinning and very sharp, the dangers of malicious outsiders controlling the devices are far from theoretical: as one journalist demonstrated by allowing Makris to run him over with a Yarbo, hackers can override built-in safety mechanisms.
Worse still, they’ve been built into devices from a company that’s 11 years old, and that have been deployed across all kinds of environments – including 12 Yarbos that Makris identified as being within 3km of major US nuclear power plants.
More concerning, while Yarbo claims to be based in the US, Makris found that the devices actually route their data to TikTok owner ByteDance – and that the company seems to be based in Shenzhen, China, where smart device makers are a dime a dozen but security is routinely subpar.
Rise of the machines
The prospect of a faraway hacker chasing your dog around the property while steering your lawnmower with a joystick may sound like something straight out of tech-dystopian films like Transformers and Maximum Overdrive, but knowing that it’s entirely feasible is even scarier.
Makris has documented his findings on Github and shared his findings with Yarbo, which initially downplayed the remote access feature as intentional but later committed to fixing at least part of the problem – but in going public, he’s been quick to warn people that this is no isolated incident.
French researcher Sammy Azdoufal has also been making headlines after finding ways to easily hack other home devices – including DJI’s new Romo robovac and, more recently, some 1.1 million baby monitors and security cameras whose feeds, he found, are easily viewable by anyone.
It turns out those cameras – made by Meari Technology and built into widely purchased consumer brands including Arenti, Boifun, ieGeek and Wyze and installed in homes across 118 countries – can be accessed with a single click because they use the same weak default passwords.
Even worse, the devices route all video through the company’s servers in China – meaning hackers can not only watch live video feeds through any of the cameras but view stored photos and videos as well as customers’ personal details and locations.
Azdoufal tried to notify the manufacturer about the security deficiencies but was ignored until he accessed the company’s employee database – but ultimately found little clear resolution apart from the company paying him a $45,000 (€24,000) bug bounty.
A big problem gets even bigger
After Makris’s efforts, Yarbo investigated the security issue and co-founder Kenneth Kohlmann offered guidance that blamed “historical design choices in parts of Yarbo’s remote diagnostic, access management, and data handling systems”.
Code review “identified areas where access permissions, backend system configurations, and data flows between devices and cloud services require stronger protections and stricter controls,” with Yarbo “working on remediation as the highest priority”.
Weaknesses in connected cars, medical and other devices have been warned about for years – yet despite efforts to improve technical standards and industry practices, new vulnerabilities confirm that insecure practices continue to plague the ever growing supply of connected devices.
With most IoT devices still made in China using opaque software designed by largely unaccountable firms, products from that country have particularly been a focus for security researchers – with repeated warnings about the risks of smart doorbells and other devices.
