When the Manufacturer Steers Your Mower, Stephen King Comes to Mind
This story sounds like it escaped from a Stephen King film. In 1985’s “Maximum Overdrive,” machines wake up and turn on people as if remote-controlled; a lawn mower chases a boy across a yard. In the movie, a comet’s tail sets them off. In reality, the trigger is more mundane — and more unsettling: a backdoor built into a smart lawn mower at the factory.
- Yarbo’s robot mower, which costs over $5,000, contains a backdoor the manufacturer built in deliberately and that owners cannot disable.
- Every device shares the same hardcoded root password. If an owner changes it, the next firmware update resets it. An estimated 11,000 robots worldwide are affected.
- The US agency CISA classified the flaws as critical in June 2026. Yarbo then pledged to remove remote access by default and offer it only as an opt-in.
No comet, no Skynet, no Bond villain required. One password, identical across every device, is enough to remotely control thousands of blade-equipped garden robots. That’s exactly what security researcher Andreas Makris demonstrated. From Germany, he hijacked a Yarbo robot in New York State and steered it toward a Verge journalist who had lain down in its path to demonstrate the risk. The robot actually touched him — roughly 220 pounds of metal and electronics. The only reason no one was hurt: Makris stopped in time, the mower was in reverse, and the blades were off.
What is Yarbo — and why isn’t this an ordinary lawn mower?
Yarbo doesn’t sell a simple robot mower but a modular platform: a tank-tracked “core” that drives interchangeable attachments — for mowing, trimming, edging, leaf-blowing, or snow removal. The base unit costs over $5,000 in Europe; the full set of attachments runs past $12,000. Because every attachment relies on the same core, a flaw in the core affects every configuration. Inside sits a full Linux computer. Like any computer, it has an administrator account called “root” — the account with full privileges, able to execute any command on the system. That’s exactly where the problem starts.
How does an outsider take over thousands of devices at once?
Makris found that every Yarbo robot uses the same hardcoded root password. It isn’t unique per device; it’s identical across the entire fleet. Whoever knows it gets into every unit. Worse: even an owner who knows to change it isn’t protected, because the next firmware update — the operating software refresh — resets it right back. The cloud connection makes things worse.
It runs over MQTT, a lightweight protocol for machine-to-machine communication. Its credentials, too, were hardcoded and identical across every device inside the app. As a result, according to CISA, anyone holding valid credentials could subscribe to the telemetry of the entire global fleet and issue commands to any robot using nothing more than its serial number.
The access point is no accident. According to Makris, the backdoor runs automatically on every robot, cannot be disabled by the owner, and restores itself if removed. Through this channel, the robot isn’t just steerable. Attackers could start the blades, probe the home network, or fold the device into a botnet — a network of hijacked devices remotely weaponized for attacks elsewhere on the internet.
Even the emergency stop button offers no reliable protection: with root access, a single command unlocks the mower again. The scale is significant. Makris is tracking more than 11,000 devices worldwide, about 5,400 of them in the US and Europe. On June 11, 2026, the US Cybersecurity and Infrastructure Security Agency (CISA) confirmed the flaws in an official advisory (ICSA-26-162-01), listing them as CVE-2026-10557 and CVE-2026-7368. The more severe of the two scores 9.8 out of 10 on the CVSS severity scale.
What does it feel like to be run over by your own lawn mower?
To make the danger tangible, Verge editor Sean Hollister took part in the experiment described above. From roughly 6,000 miles away, Makris steered the mower while Hollister lay in its path. The remote takeover itself was only the start. In the demonstration for The Verge, Makris also pulled live camera feeds and extracted owners’ GPS coordinates, email addresses, and Wi-Fi passwords.
Hollister verified this on the ground. Two named owners — Wayne Yu and retired network architect Matt Petach — confirmed that the addresses and passwords pulled from their devices were real. Petach offered a fitting comparison: a device like this is “a chainsaw without a handguard.” Makris also located twelve Yarbo robots within roughly two miles of a major power plant, one apparently registered to a nuclear security analyst — a sign the problem reaches well beyond the backyard.
Why is this “Internet of Trash” — and not just a bug?
An insecure configuration would be a slip-up. What makes Yarbo a case for this column is the intent behind it, and how the company handled being caught. Even its origins are obscured: Yarbo presents itself with photos of polished office suites as a New York company. Its actual New York address, according to The Verge, is a single-story building shared with, among others, two auto detailers, an insurance agency, and an Etsy shop. Behind Yarbo stands Hanyang Tech, based in Shenzhen, China.
The company tried to steer the press, too: Yarbo’s PR team repeatedly asked The Verge to guarantee it wouldn’t publish a negative review, and at one point presented an agreement containing a non-disparagement clause. The outlet declined. Co-founder Kenneth Kohlmann’s later statement was, outside the US, reachable largely only via VPN, according to Cybernews.
That places Yarbo in a pattern this column has described before — only running in the opposite direction. When Vorwerk shut down the cloud behind its Neato robot vacuums, owners lost control because the manufacturer switched the server off. Something similar happened with the Kindle as a symptom of a broader IoT problem. With Yarbo, the manufacturer keeps control by leaving access switched on. Control withdrawn on one side, control quietly retained on the other — the common thread stays the same: whoever buys connected hardware owns the device, not the power over it.
What has Yarbo changed — and what, deliberately, hasn’t it?
Yarbo’s first response was half-hearted. The fix initially announced addressed only permission handling between the app and backend — not the firmware, where most of the underlying problems live. The company initially wanted to keep the remote-access channel itself, to help customers from a distance. Only the public pressure from The Verge’s reporting changed course.
Within days, Yarbo reversed itself: co-founder Kenneth Kohlmann told The Verge the company would remove remote access by default and offer it only as an opt-in. Every device is meant to get a unique root password that Yarbo won’t hand out to end users. The first 1,000 machines had already received a firmware update, according to the company.
Whether Yarbo fully delivers on that promise is hard to verify from the outside. The company also announced in-app approval for diagnostic access, session logging, and a dedicated security response center. For owners, the standard advice still applies: update the Yarbo app to version 3.17.4 or later, use a strong, unique Wi-Fi password, and segment IoT devices away from computers holding sensitive data.
Conclusion
An irony frames this story. In 1985, a scene in “Maximum Overdrive” called for a remote-controlled lawn mower to chase a boy. Director Stephen King insisted on keeping the blades running. The mower went out of control, shredded a wooden block used as a camera mount, and sent splinters flying. Cinematographer Armando Nannuzzi lost his right eye in the accident.
The fiction of a lethal lawn mower became real on set. Forty years later, it takes neither a comet nor a director with a taste for authenticity. It only takes a manufacturer that builds a master key into every unit it sells — and hands it back only after getting caught. The real scandal isn’t the spectacular hijack; it’s how banal the cause was: one identical password, one persistent access channel, one obscured company address. A high price, this case teaches plainly, says nothing at all about how secure a connected device is.
Yarbo pledged improvements after the flaws became public, including unique passwords per device and remote access that is removed by default and offered only as an opt-in. The US agency CISA recommends updating the Yarbo app to version 3.17.4 or later. Whether every flaw has been fully closed is difficult to verify from the outside.
Root is the administrator account on a Linux system, with the highest level of privileges. A hardcoded password is built directly into the software and identical across every device. Whoever knows it gets full access to every unit of that type, without needing to guess or crack anything.
Yarbo presents itself publicly as a New York company. Behind the brand, however, stands Hanyang Tech, based in Shenzhen, China. Reporting by The Verge suggests the stated New York headquarters is in fact a small unit inside a single-story building.
A persistent remote-access channel that owners cannot disable and never clearly consented to counts as a serious security and trust violation, and depending on the region, it can run afoul of data protection and consumer protection rules. Security researchers classify this kind of architecture as deliberately insecure design, regardless of how it’s judged legally in any single case.
The case shows that a high purchase price guarantees nothing about security. Connected devices should run current firmware, sit behind strong Wi-Fi passwords, and stay segmented from systems holding sensitive data. Anyone wanting maximum independence should look for devices that can also run locally, without relying on the manufacturer’s server.











