Your Yarbo lawnmower is a backdoor into your Wi-Fi network

Daniel Sims

Posts: 2,457   +74
Staff
Facepalm: Internet-of-things devices such as cameras, doorbells, robot vacuums, and other connected household products carry well-documented security risks, but Yarbo's lawnmowers represent one of the most egregious examples in recent memory. Every unit sold worldwide is effectively a backdoor into the owner's Wi-Fi network, and there appears to be little users can do about it.

Security researcher Andreas Makris recently outlined exploits that could allow hackers to hijack thousands of Yarbo lawnmowers sold across more than 30 countries. According to Makris, all units ship with a preinstalled backdoor capable of exposing owners' private information, and the vulnerability cannot currently be disabled.

Yarbo sells internet-connected robots that support attachments for mowing lawns, blowing leaves, shoveling snow, and performing other outdoor tasks. Like many IoT devices, they can be controlled remotely through mobile apps and include cameras used to map the properties where they operate. Remote access also requires transmitting data through the manufacturer's servers.

However, Makris discovered that each unit contains a backdoor that allows Yarbo engineers to receive telemetry data and GPS coordinates from every network-connected unit running recent firmware. After gaining access to the company's backend, the researcher was able to view information from around 11,000 devices, including roughly 5,000 located in the US.

Similar to an incident in February, when Sammy Azdoufal reportedly hijacked over 10,000 DJI IoT devices, Makris was able to remotely control Yarbo robots and access their camera feeds using only serial numbers and no additional login credentials. He could even restart a unit while the owner activated the emergency shutdown, or potentially operate a bladed lawnmower in a dangerous manner.

But it gets worse: each Yarbo robot is, in effect, an Arm Linux computer with the same root password across all units, granting attackers full control over the operating system. Even if a user changes the password or removes the backdoor, a subsequent firmware update restores the default credentials and any missing files.

The OS also displays the user's Wi-Fi password in clear text, potentially turning each robot into a beachhead for attacks on other connected devices. The implications for private owners are concerning enough, but Makris also found Yarbo units deployed at businesses, university campuses, and government buildings. The Verge reports that he also identified 12 robots within 3 km of a major nuclear power plant, one of which may be owned by a nuclear security analyst.

Normally, a security researcher would notify the manufacturer privately and allow time for remediation before going public. However, Yarbo's dismissive responses reportedly convinced Makris that the issues would only be taken seriously if he published his findings.

The company's attempts to obscure its origins are another concern. While Yarbo is officially headquartered in New York, the Android app package identifier lists Shenzhen-based Hanyangtech as its parent company. Each Yarbo unit's telemetry also reportedly routes through ByteDance servers.

What Makris discovered highlights the same category of concerns that led to DJI devices being restricted in the US, but Yarbo's robots present a potentially broader risk, with thousands already operating domestically. Yarbo later told The Verge that it is investigating the issues and has developed fixes for some of them.

Permalink to story:

 
It's pretty naive to treat these things as bugs or vulnerabilities or anything that seems to be there because of neglect, bad coding etc.

Plenty of Chinese domestic appliances with network connectivity capabilities have deliberately planted backdoors that allow remote data collection and very likely remote control. Every single one of these is a security risk, and I don't mean just a privacy / information security risk, but a direct physical threat. If a device can be remotely controlled, it can be instructed to overheat and start a fire, to slam into something, to .. use your imagination here. Even devices with no advertised networking capabilities may have them, silently scanning for vulnerabilities in unsecured nearby wifi networks and waiting for instructions.

It's simply insane that we're buying millions of potential trojan horses and keeping them around.
 
Recent bankrupt iRobot has been acquired by some chinese noname entrepreneur. Now I wonder if that means my roomba is now a worm-hole and a spyware backdoor.

I also wonder how much is it helpfull to send this stuff on separate isolated WLAN\VLAN
 
That's why you use a separate guest network that's setup for each of these things like this and make sure they're isolated from one another so they can't frig with your actual network especially if it absolutely must have internet access to work otherwise it's a local only access guest network
 
This just reminds me of the Watchdogs 2 game.

So many examples of a modern convenience
Being no so convenient. Not everyone will want or can do as suggested in the comments, like making a guest network for every IOT device. Not saying it’s necessarily difficult but just pointing out a reality.

Is it any wonder that people who understand this landscape
Or not offload their info offline, like physical file cabinets,
Passwords written down or digitally downloaded ETC.
 
All these Chinese internet-ready domestic appliances are surveillance devices disguised as domestic appliances - or as cars (BYD, for example).

The real question is which modern EV is NOT a surveillance device? Hell, I've seen new cars and appliances advertise their surveillance features like its a good thing (eg. everything is recorded and uploaded to prevent theft of your car, vandalism, etc). Teslas have what, 8 or 9 cameras and records everything around them for sentry mode, driving can be remotely accessed, etc. It seems everything is heading in the direction of surveillance and data collection.

I recently got a GE cooking appliance and it uploads data to the internet and collects all my data too.
 
Riding the mower is tough in my old age and so is pushing it BUT I will not give up either for one of these things. Activity is what keeps people going not watching.
Society also needs to normalize different types of lawns (and "natural" lawns) instead of wanting everyone to stick to manicured mono-culture grass lawns that is chock full of pesticides, herbicides, and chemical fertilizers that is absolutely terrible for biodiversity, local bees, and contributes to local pollution.
 
Society also needs to normalize different types of lawns (and "natural" lawns) instead of wanting everyone to stick to manicured mono-culture grass lawns that is chock full of pesticides, herbicides, and chemical fertilizers that is absolutely terrible for biodiversity, local bees, and contributes to local pollution.
One of my mottos, "As long as it's green"
 
Recent bankrupt iRobot has been acquired by some chinese noname entrepreneur. Now I wonder if that means my roomba is now a worm-hole and a spyware backdoor.

I also wonder how much is it helpfull to send this stuff on separate isolated WLAN\VLAN
Not exactly no-name. iRobot was acquired by their own manufacturer.

During the pandemic, iRobot tried to expand and took on a bunch of debt and felt secure doing so because their stock was pretty healthy. After the pandemic, their stock price began to drop due to diminishing profits and revenues, and their manufacturer began quietly buying up iRobot's debt. Eventually, the manufacturer had acquired enough debt and the stock had fallen in value enough that they were able to force a bankruptcy and take over the company's IP for pennies on the dollar.

But, yes, China now controls your Roomba. Mine, too. Maybe they'll finally fix the dumb location & cleaning scheduling logic.
 
I didn't know I even had one, buts it's been hacked and they drove it out of here before I could find it.

Is the headline proof of ownership? Imma make a claim
 
Not exactly no-name. iRobot was acquired by their own manufacturer.
I remember I’ve read that some china bigwig personally curated all the procedures. Didn’t know it was oem.

Dunno why they felt great during covid, problems with my roomba started somewhere in 2020, but yeah, at the corona’s finis iRobot software quality plummeted. Right now my i7 is barely usable…

This is why you put all your IOT devices on a separate Vlan or a guest network.
But what you do when you need control, or a wireless printer?
 
I remember I’ve read that some china bigwig personally curated all the procedures. Didn’t know it was oem.

Dunno why they felt great during covid, problems with my roomba started somewhere in 2020, but yeah, at the corona’s finis iRobot software quality plummeted. Right now my i7 is barely usable…


But what you do when you need control, or a wireless printer?
I would not put the printer on the guest network if I needed access to it from the primary network.

There are ways to work around it with an advanced router.
 
I remember I’ve read that some china bigwig personally curated all the procedures. Didn’t know it was oem.

Dunno why they felt great during covid, problems with my roomba started somewhere in 2020, but yeah, at the corona’s finis iRobot software quality plummeted. Right now my i7 is barely usable…
It wasn't so much that they felt great, but they felt that they had no choice.

It all probably goes back to their home state's politicians killing the attempt by Amazon to acquire iRobot. Amazon wanted to buy, iRobot's board and shareholders wanted to sell, but when the state's congress people stated they would fight the merger, the deal quickly fell apart. Once that happened, iRobot's leadership felt that they had no choice but to try to expand if they were to survive against the rise of Chinese Roomba clones; cut costs, drive revenues, all that jazz. Obviously, that all backfired in the most spectacular way.

But, yeah, my i9 does a great job vacuuming. When it remembers it was supposed to vacuum at all. It still works well enough for now, but I probably won't go for another iRobot product once it comes time to replace it. Or, more precisely, iRobot is no longer the "no other options considered" brand for a replacement robot vacuum. AFAIK, Dyson is the only non-Chinese one at this point, so they are in the running. I'll consider a Chinese one, but I would want to see which ones got decent reviews from security researchers, first (I.e. at least attempts to appear to secure itself, and doesn't store your WiFi password in plaintext)
 
I would not put the printer on the guest network if I needed access to it from the primary network.

There are ways to work around it with an advanced router.
the way around that is to never let it have access to the internet if it's not an absolute necessity and if it is a requirement to able to use it then get a different Printer where it is not
 
Back