The future of lawn care arrived with spinning blades and zero authentication. Yarbo, a Chinese manufacturer of autonomous outdoor robots, has been selling internet-connected mowers that can be commandeered by anyone with modest hacking skills, exposing not just the machines themselves but the homes they tend. When a security researcher demonstrated the vulnerability by literally running over a Verge journalist, the company's response was telling: not a recall, not a firmware halt, but a promise to fix things eventually.

This is not a story about one unfortunate reporter and one rogue robot. It is a story about an entire category of consumer hardware that treats cybersecurity as a post-launch concern.

The attack surface in your backyard

Yarbo's mowers connect to home Wi-Fi networks and communicate with cloud servers to receive commands and updates. The security flaws discovered allow attackers to intercept these communications, harvest stored credentials, and take full remote control of the devices. The implications extend beyond the machine itself: Wi-Fi passwords grant access to home networks, GPS coordinates reveal when residents are away, and email addresses enable targeted phishing. For a device whose primary job is cutting grass, the data footprint is remarkably intimate.

The company has reportedly sold thousands of units across North America and Europe, primarily to affluent homeowners willing to pay premium prices for autonomous convenience. These are precisely the customers whose homes contain the most valuable digital targets.

The regulatory void

Consumer IoT devices in the United States face no mandatory security certification before reaching the market. The FCC regulates radio emissions; no agency regulates whether a robot can be hijacked. The European Union's Cyber Resilience Act, set to take full effect in 2027, will eventually require connected products to meet baseline security standards, but enforcement remains years away. In the meantime, manufacturers face little consequence for shipping vulnerable products beyond reputational damage—and even that requires journalists willing to be run over to generate headlines.

Yarbo's statement promising a fix follows a familiar playbook: acknowledge the issue, express commitment to customer safety, provide no timeline. The company has not disclosed how many devices are affected, whether attackers have exploited the vulnerabilities in the wild, or what interim measures owners should take.

Our take

The Yarbo incident is darkly comic—a journalist flattened by a lawn robot makes for excellent copy—but the underlying problem is genuinely serious. As autonomous machines proliferate in homes, from vacuums to mowers to delivery bots, each represents a potential entry point for attackers and a physical system capable of causing harm. The industry's current approach, shipping first and patching later, works tolerably for software. It works considerably less well for devices with blades. Yarbo will likely fix its mowers. The question is what happens with the next company that decides security can wait until after the product review embargo lifts.