Yarbo s Robot Mowers Phone Home to ByteDance — and Cannot Be Stopped
Every Yarbo robot lawn mower in America has been sending hardware diagnostics to ByteDance's enterprise messaging platform: serial number, CPU usage, memory, disk, all without owners' knowledge. A security researcher discovered this in April. Then he decided to demonstrate what else a Yarbo could do remotely.
Andreas Makris found three critical vulnerabilities in Yarbo's fleet management system and reported them through the normal channels. Yarbo's support team told him the remote connection capability "cannot be accessed by any third parties." Makris published his full findings on May 7, 2026 — along with a video of himself steering a 200-pound Yarbo robot mower, in real time, across a field in upstate New York, while a Verge reporter filmed it. His technical report and demo are on GitHub; The Verge covered the demonstration.
The backdoor Yarbo built into its own product turned out to work exactly as advertised.
Yarbo is a Chinese-owned robot mower company with roughly 5,400 active units in the United States and Europe and over 11,000 worldwide, according to Makris's fleet map. Every device shares the same root password — hy@0886!# — hardcoded into the firmware and pushed back to every machine if anyone tries to change it. CVE-2026-7413, CVE-2026-7414, and CVE-2026-7415 are now on the record. The vulnerability is not a misconfiguration or an oversight. Yarbo's architecture designates remote access as a permanent, non-disableable feature of the product — and the company confirmed as much in its response to Makris, calling it a deliberate design choice.
Owners cannot opt out. The mechanism is mandatory and survives any attempt at removal. If a customer somehow removes the backdoor component, the next firmware update reinstalls it. Makris calls this "the mandatory persistence mechanism." The US commercial subsidiary, Yarbo Inc., did not respond to a request for comment by publication time.
Makris also found that all Yarbo robots send telemetry to ByteDance's Feishu platform — the same company that owns TikTok. The data includes the robot's serial number, CPU, memory, and disk usage. Feishu is ByteDance's enterprise collaboration suite, and the Yarbo brand is owned by Shenzhen-based Hanyangtech; Yarbo Inc. is its US subsidiary. Where exactly that telemetry routes — whether it stays on ByteDance's non-China cloud infrastructure or routes to servers in China — is not fully documented in Feishu's public architecture disclosures. What is clear is that the data flows to ByteDance-owned infrastructure without owner consent or disclosure in Yarbo's product materials.
Yarbo's own marketing makes the opposite case. A company blog post dated October 2025 — archived here — promises customers that Yarbo's security architecture protects their investment. It does not mention ByteDance telemetry, a permanent backdoor, or that anyone with the fleet password can steer a machine from the other side of the world.
What Makris demonstrated is a category of risk that is new only in its specific form: a consumer robot with spinning blades, running unsupervised on private property, that cannot be remotely disabled by its owner, phones home to a foreign-adjacent platform, and responds to a shared credential that cannot be changed. The 11,000-unit fleet in the field is not a hypothetical. The spring deployment season is not hypothetical. And the regulatory chain that might catch a problem like this before someone gets hurt does not currently appear to include any specific oversight for robot mowers sending data to ByteDance. Neither CISA nor the FCC had issued public guidance on Yarbo specifically as of publication; it is not clear whether either agency has been contacted about the vulnerabilities.