Securing Your Yarbo Robot Mower: A Step-by-Step Guide to the Company's Security Overhaul

Overview

Recently, a security researcher demonstrated that thousands of Yarbo robot mowers could be hijacked remotely, exposing sensitive data like GPS coordinates, Wi-Fi passwords, and email addresses. Yarbo responded with a detailed 1,200-word plan to address these issues. This guide walks through the steps Yarbo is taking to fix the vulnerabilities and how you can ensure your mower is secure. We’ll cover the company’s commitments, the technical changes being implemented, and best practices for users.

Securing Your Yarbo Robot Mower: A Step-by-Step Guide to the Company's Security Overhaul — Source: www.theverge.com

Prerequisites

Basic understanding of IoT security concepts (e.g., encryption, authentication)
Access to your Yarbo account (app or web portal)
Ability to update firmware on your robot mower
Familiarity with using command-line tools or API calls (optional for advanced steps)

Step-by-Step Instructions

Step 1: Confirm the Breach and Yarbo’s Response

Yarbo has publicly confirmed the security researcher’s findings. The company issued a formal apology and outlined a multi-phase plan. Key actions include temporarily disabling remote access and implementing encryption for data in transit. As a user, you should verify you’re on the latest firmware (v2.4.1 or higher). Check your app for notifications or visit Yarbo’s official security page.

Step 2: Disable Remote Access Temporarily

Yarbo cut off remote access to prevent further exploitation. To manually confirm this, log into your Yarbo account and navigate to Settings > Remote Access. If the option is grayed out or shows “Disabled,” the feature is inactive. This ensures that even if a hacker had your device ID, they cannot connect.

Code Example (API check, optional):

curl -X GET https://api.yarbo.com/v1/device/status -H "Authorization: Bearer YOUR_TOKEN"
Response: {"remote_access_enabled": false}

Step 3: Ensure HTTPS and TLS Encryption

Yarbo is moving all device communication to HTTPS with TLS 1.2+ to protect Wi-Fi passwords and GPS data. Verify that your mower connects only to secure endpoints. If you’re a developer, check that your local network traffic uses HTTPS (look for padlock in browser). Yarbo’s servers now reject plain HTTP requests.

Configuration snippet for router (advanced): Enable “HTTPS Enforcement” in your Wi-Fi router settings to block unencrypted traffic from IoT devices.

Step 4: Update Firmware with Patched Authentication

Yarbo is releasing firmware updates that fix the authentication flaw. The patch replaces weak tokens with JWT-based authentication and adds rate limiting to prevent brute force attacks. Follow these steps:

Open the Yarbo app and go to Device > Firmware Update.
If an update is available (e.g., v2.5.0), tap “Update Now.”
Ensure the mower is on its charging dock and connected to Wi-Fi.
Wait for the update to complete (approximately 10 minutes).

Post-update check: In the app, verify the firmware version. Also, attempt to send a remote command (e.g., start mowing) – it should require the new token.

Step 5: Implement Stronger Access Controls

Yarbo is introducing two-factor authentication (2FA) for account logins and device pairing. Enable this in your account settings. Go to Profile > Security > Two-Factor Authentication. Choose SMS or authenticator app (recommended). This prevents unauthorized access even if your password is compromised.

Developer note: The API now requires an OAuth 2.0 token with scopes. Example token request:

POST /auth/token
{"grant_type": "password", "username": "user", "password": "pass", "scope": "device:control"}

Response includes access_token and refresh_token. Use the access token in all subsequent API calls.

Step 6: Secure GPS Data with Obfuscation

Yarbo is obfuscating GPS coordinates stored in the cloud to prevent location tracking. The mower’s location is now reported with a random offset (within 10 meters) when accessed remotely. Users can disable this in the app if needed for precision (e.g., for boundary setup). Go to Settings > Privacy > Location Accuracy and set to “Precise” (only recommended during setup).

Step 7: Conduct Regular Security Audits

Yarbo has committed to quarterly third-party security audits. As a user, you can participate by reporting vulnerabilities via their bug bounty program. Check Help > Report a Security Issue in the app. Also, periodically review your linked devices and revoke any unknown sessions from Account > Active Sessions.

Common Mistakes

Not updating firmware immediately: Delaying updates leaves you vulnerable. Always apply patches as soon as they’re available.
Using default passwords: Change your Yarbo account password to a strong, unique one. Do not reuse passwords from other services.
Ignoring privacy settings: Leaving GPS precision on high unnecessarily exposes your home location. Disable it after setup.
Failing to enable 2FA: Without additional verification, your account is only a password away from being hacked.
Assuming remote access is safe: Even with fixes, only enable remote access when needed. Keep it off by default.

Summary

Yarbo’s security overhaul includes disabling remote access, enforcing HTTPS, patching authentication, adding 2FA, obfuscating GPS data, and committing to regular audits. By following the steps above—updating firmware, enabling 2FA, and adjusting privacy settings—you can significantly reduce the risk of your robot mower being hijacked. Stay vigilant and keep your device updated to ensure a safe mowing experience.