A robot in your yard is not a toy

The facts

On May 7, 2026, The Verge published a story that every maker of consumer robotics should read twice (first article). Security researcher Andreas Makris, sitting roughly 6,000 miles away, took full remote control of a Yarbo robot lawn mower in the United States. From the other side of the planet. With no authorization. With no real obstacles.

It wasn't an isolated case. Roughly 11,000 vulnerable devices worldwide — the entire fleet. Same root password on every machine. MQTT broker with no access controls. Hardcoded credentials in the firmware. A single foothold opens everything: GPS coordinates of customers' homes, email addresses, Wi-Fi passwords, camera feeds, remote vehicle control, override of the emergency stop button.

The next day, Yarbo responded (second article). Co-founder Kenneth Kohlmann confirmed the findings and apologized. He promised OTA updates, a Security Response Center, a possible bug bounty. He temporarily disabled the remote diagnostic tunnels. He reset the root passwords.

They're the right steps. They come after. They come after the machine had already walked across a journalist's chest.

Three circles of harm

When an autonomous powered vehicle with rotating blades is reachable over the network, the risk isn't one risk. It's three, and they grow.

1. The physical circle

The direct harm is obvious: a powered robot with blades can injure. It can be driven at a person, a child, a pet. It can be pushed into the street, where it becomes a four-wheeled projectile placed between a braking car and whatever is in front of it. It can be made to fall off a terrace. It can be used to damage third-party property — the neighbor's garden, the parked car, the border flowerbed.

The indirect harm is less visible but more insidious: a fleet of 11,000 compromised robots is a physical botnet. They can be mobilized for DDoS attacks from the owner's home network (using the owner's IP, with the owner's legal consequences). They can be used for credential stuffing against other services. They can become the lateral entry point into the rest of the home network — cameras, NAS, work laptops, smart locks.

And there's a property of physical harm that software companies struggle to internalize: a patch doesn't undo it. A stolen Wi-Fi password can be changed. An exfiltrated dataset can be — at least legally — contained. A wound from a moving blade cannot. A traffic incident caused by a robot that left its perimeter cannot. The physical consequences of software failures are irreversible — and this changes everything compared with the threat model of a website or an app.

2. The privacy circle

The cameras. The GPS coordinates. The daily paths of the machine inside the perimeter of the home. When the robot is working — that is, when the owner isn't in the yard. When it isn't working — that is, when there are guests, kids, a party, a meeting.

And further: the home Wi-Fi network. Once inside, the attacker is inside everything. Not just the owner's data, but the data of everyone who connects to that network — partner, children, guests, colleagues who come to work from home. The surface of harm extends far beyond whoever bought the product.

Then there are the neighbors. A camera that can be steered remotely — even one nominally "for navigation" — ends up framing what surrounds it. The neighbor's windows. The neighbor's yard. The neighbor's kids playing in the next cortile. None of them signed Yarbo's privacy policy. None of them knew the robot existed.

3. The national-security circle

This is the point few articles caught. The Verge mentioned it in passing, but it's worth pausing on: some of the Yarbo devices Makris identified were located within a few kilometers of critical infrastructure, including a major power plant.

Put the pieces together:

• A fleet of always-online devices, with cameras, always within reach of a private home's Wi-Fi network.
• Precise GPS coordinates of every device.
• Telemetry that, according to the published research, in some cases was routed to servers controlled by ByteDance (the Chinese owner of TikTok).
• A company that presents itself as American but operates, per The Verge's reporting, out of Shenzhen.

You don't need to be paranoid to see the problem. You only need to take seriously what it means, in a world where autonomous vehicles enter the homes of public officials, military personnel, researchers, and employees of critical infrastructure, to give a foreign actor a persistent — and mobile — observation post a few meters from the point of interest.

In the United States this is not abstract: the same logic produced restrictions on DJI drones for federal personnel and investigations into Chinese-made connected vehicles. A robot in your yard with a camera, Wi-Fi, and GPS belongs in the same risk category, even if nobody has yet written the regulation.

Not an isolated case: the pattern

It's worth pausing on the byline. Sean Hollister, senior editor at The Verge, is one of the few tech investigative reporters who has grasped what is happening in consumer connected robotics. And this is not his first piece of this kind: in February 2026, again by him, he uncovered the DJI Romo robot vacuum case, where a single user — Sammy Azdoufal — managed to take control of roughly 7,000 devices across 24 countries, accessing live audio and video feeds inside strangers' homes. No sophisticated hack: he had simply extracted his device's token, and DJI's servers started treating him as the administrator of everyone else's.

The same protocol involved — MQTT, poorly segmented orchestration servers. The same initial company response — "your device is completely secure and under your exclusive control." The same country of origin — a Chinese manufacturer. And the same journalist documenting it.

Three months later, Hollister literally lay down in a yard and let a German researcher 6,000 miles away walk a lawn mower onto him. To be clear: this is not a coincidence. It is a pattern that is consolidating, and someone is doing the work of keeping the public record of it.

Why an IoT device is different from a chair

Beneath the chronicle of the individual cases lies a structural question that Western societies are starting to take seriously. IoT devices are not like ordinary objects. A table, a chair, an unconnected lamp, a toaster without Wi-Fi: once you own them, they are just there. They don't communicate with anyone. They don't respond to commands from outside. They cannot be changed remotely by the manufacturer. They are objects, in the full sense of the word.

An IoT device is something else. It is remote-controllable, by design. It is a permanent point of presence that the manufacturer — or anyone who manages to speak in the manufacturer's place — maintains inside the buyer's private space. Every IoT device is, by architectural definition, a bridge between the domestic space and the outside. That bridge can be well built or badly built, monitored or wide open, in a friendly or hostile jurisdiction — but the bridge is there.

This is why a growing body of Western regulation — from the EU's Cyber Resilience Act to U.S. NDAA restrictions to CISA guidance — pushes toward Western-made IoT devices, produced within jurisdictional perimeters where an independent authority can hold the device's behavior accountable, and where the manufacturing company does not answer, at the end of the chain, to a strategically adversarial state actor. This is not protectionism. It is recognizing that the bridge goes somewhere, and where it goes is not irrelevant.

Sensors vs. actuators: robotics is something else again

And then there is a second, sharper level. "Self-driving cars, robot vacuums and mowers — the question is even more urgent." That sentence is worth reading twice.

A classic IoT device is generally a sensor. A connected thermostat measures temperature. A security camera records imagery. A smart speaker listens. A motion sensor counts passes. When compromised, they can read what they shouldn't read. It's serious — especially for audio and video — but the damage is informational: it violates privacy, exfiltrates data, maps habits.

Robots are not sensors. They are actuators. They are devices that, in addition to sensing, act in the physical world. A self-driving car steers, accelerates, brakes. A robot vacuum moves autonomously through the home, carrying cameras and microphones. A robot lawn mower moves autonomously around a home's perimeter and its surroundings, with blades spinning at three thousand revolutions per minute.

A compromised actuator does not merely violate privacy: it acts. It can open a door, steer a vehicle, activate a motor, drop something, hurt someone. And it can be remote-controlled at any moment by whoever controls the device's chain of command. It is the same difference that, in military terms, separates a surveillance satellite from an armed drone. Both do intelligence; only one can also strike.

This is why, in consumer connected robotics, the level of scrutiny on jurisdiction, security architecture, and the identity of who sits on the other end of the wire cannot be the same we apply to a smart bulb. Not because the bulb doesn't deserve attention. But because a device that moves, with blades, in a yard where children play, belongs in a different category of risk.

And reporters like Hollister are beginning to build, case by case, the public archive that will, in the coming years, make a category-specific regulation inevitable.

It is not a coincidence

There is a question running underneath all of this that few people ask openly: why does one company build a product like this, and another doesn't? Not out of malice. Not out of technical incompetence — Yarbo has capable engineers, funding, a complex product line. The level of security with which a device shows up in someone's yard is not a random oscillation of quality. It reflects a culture of privacy.

And cultures of privacy are not the same everywhere.

Yarbo, according to The Verge's own reporting, operates out of Shenzhen. It is a product of an industrial ecosystem where consumer devices collect, by default, everything they can collect; where the idea that a government may access citizens' data is not a pathological exception but an operational presupposition; where the very notion of "privacy as a structural right of the individual against institutions and companies" does not have the cultural, legal, and historical rooting it has in Europe. This is not a moral judgment. It is a sociotechnical fact: products reflect the contexts in which they are born.

Volta was born on Lake Como, in Italy, inside a regulatory perimeter — the GDPR — that is the strictest privacy framework in the world. In Europe privacy is not a marketing feature; it is a fundamental right enshrined in the Charter of Fundamental Rights, enforced by independent authorities, with sanctions that have shaped the behavior of Google, Meta, and Amazon. A European company does not choose whether to be strict on privacy: it grows up inside a culture where not being strict is unthinkable.

When a company born in this context designs a robot, the questions asked around the engineering table are different. Not "how do we maximize the data we can collect?". But "how do we collect as little as possible?". Not "how do we make this product hard to hack?". But "how do we make it so that, even if it were hacked, there would be nothing important to steal?".

It is a difference of defaults. And in engineering, defaults are everything.

The 360° LiDAR: the textbook case

It's worth giving a concrete example, because nothing makes the point clearer. A growing share of next-generation Chinese robot lawn mowers ship with a 360-degree rotating LiDAR on the top of the chassis. Technically it's a legitimate choice: it helps with navigation, obstacle detection, environment mapping.

But pause for a second and consider what it means, in practice, to have a 3D scanner spinning 360 degrees on a connected, always-online vehicle parked in a private yard.

That LiDAR doesn't look at the grass. It looks at everything else. It looks at the facade of the house. It looks at the windows. It looks at who walks through the gate. It looks at the neighbor's yard beyond the hedge. It looks at the parked car, its license plate, the people who get into it. It builds, continuously, a high-resolution three-dimensional scan of the domestic environment and its surroundings, with centimeter-level precision, geo-referenced, archivable, transmittable.

It is exactly the kind of data that military mapping systems use. It is exactly the kind of data intelligence agencies would pay to obtain. And we are putting it, by default, active, on a few-thousand-dollar consumer robot, connected to servers controlled by who-knows-who.

Volta had this option on the table. It said no.

The Lawn Companion™ has a single camera, pointed at the ground. No rotating LiDARs. No sensors aimed at the horizon. Not because a 360° LiDAR wouldn't work — it would work beautifully. But because, in a serious culture of privacy, a device that enters someone's home does not carry more senses than it needs to do its job.

It's worth being precise about what this means in practice. Here is the founder of Volta, Silvio Revelli, in his own words:

"Avremmo potuto scegliere di vedere ancora meno. Ma per ragioni di navigazione e di pronto evitamento ostacoli abbiamo dovuto mantenere ventitré gradi di inclinazione orizzontale. Sempre meglio che 360 gradi. O peggio ancora, un LiDAR."

"We could have chosen to see even less. But for navigation and prompt obstacle avoidance, we had to keep twenty-three degrees of horizontal inclination. Still better than 360 degrees. Or worse yet, a LiDAR."

The sentence matters for two reasons. The first is technical honesty: no honest marketing can claim "our camera sees only the blade of grass under the wheels." A machine that has to move autonomously needs to see a few meters in front of itself, to avoid hitting a tree, a child, a toy, a dog. Twenty-three degrees of horizontal opening pointing down are the functional minimum required for safe navigation. It is what is enough — not what one would want.

The second is the scale of the tradeoff. Twenty-three degrees of opening, always pointed at the ground, is a different thing from three hundred and sixty degrees of 3D scanning of the environment. The difference is not one of degree, it is of nature: a narrow visual field anchored to the ground cannot, physically, map the architecture of a house, the volumes of an adjacent building, or the profile of who enters the gate. A rotating 360° LiDAR can.

This is the difference. It is not engineering. It is culture translated into engineering.

How Volta is built: cybersecurity is not a patch, it is an architecture

We are not writing this article for the sake of polemic. We are writing it because Volta was designed on a different principle from the first system diagram, and we think it is worth explaining what that means.

There is a deep difference between security as a feature and security by design. The first is a list of controls added on top of an architecture that, without them, would be insecure: encryption on top of an open protocol, authentication on top of a public endpoint, monitoring on top of a camera that sees everything, a patch on top of a universal password. It is the model in which security is a department, and the roadmap is a chase.

The second is different. In security by design, security is not what you protect afterwards: it is what you decide before. Every component of the system is chosen, placed, and connected so that the insecure version of the product cannot even be built. There is no architecture to lock down: there is an architecture that, by its very construction, does not leave certain doors to lock down in the first place.

Volta was built this way. Six structural choices, made at the start, demonstrate it.

1. Privacy by Physics™ — the camera cannot see what it should not see

The Lawn Companion™ has a single camera, structurally anchored to the geometry of the chassis and pointed toward the turf surface. This is not a software choice. It is not a company policy. It is not a firmware-configurable restriction. It is physics.

A camera looking downward, with the minimum horizontal opening required for navigation, cannot frame the horizon. It cannot frame windows. It cannot frame the face of a standing person. It cannot frame the neighbor's yard beyond the hedge. It cannot be reoriented remotely — no matter what firmware runs on top. Its geometry is its security.

This is the precise sense of security by design: instead of promising "we will not use the frame for purposes other than agronomy," you build a device that cannot see what does not serve it. The promise does not depend on the company's good faith, on the integrity of the supply chain, on the integrity of the firmware, or on the absence of future compromise. It depends on geometry.

Read more: Volta's privacy architecture →

2. No shared credentials — the "one = all" attack is not possible

The most serious problem in the Yarbo case is not MQTT without ACLs. It is that every device had the same root password. Compromising one was compromising all of them. A single vulnerability scaled instantly to 11,000 machines.

In Volta the credential architecture is per-device. Every Lawn Companion™ is anchored to a unique cryptographic identity, authenticated to the cloud with keys specific to the single device. There is no "universal password" to discover. There is no single point of compromise that opens the fleet. The "one = all" attack, by construction, does not exist as a scenario.

3. No persistent remote-diagnostic tunnel

Yarbo announced that, even after corrections, it will keep a form of remote diagnostic access in place, under stricter controls. It is a legitimate choice — remote diagnostics lower the cost of support. But it is a choice that leaves a door. Doors can be reinforced. They remain doors.

Volta made the opposite choice. There is no persistent remote-access tunnel from the Volta cloud toward an individual Lawn Companion™. Device management runs through the user's authenticated channel — their app, their session, their credentials — and updates arrive over a closed, verified channel. There is no always-open service back-door. There is no door that can be left open by a server-side misconfiguration. The door is not there.

And not only that. On the Lawn Companion™, the defense is built in three layers stacked together:

1. All network ports are closed. No service is listening, no endpoint is reachable from outside. A network scan of the device finds nothing to knock on.
2. No user is enabled for SSH access. Even if someone, in theory, exposed a service, there is no user account that could authenticate via SSH. The users policy is restrictive by default, not permissive by default.
3. The SSH server is not installed. It is not disabled, not listening on a different port, not dormant: it is absent from the filesystem. The binary that would allow accepting a remote session simply does not exist on the machine.

Three layers, each one of which alone would suffice to block the attack. All three together make the "someone gets in via SSH" scenario not an unlikely, but a non-buildable. To make it happen, one would need to (a) compromise the firmware supply chain, (b) install an SSH server on the device, (c) create an authorized user account, (d) open a port — all while bypassing secure boot and firmware signing. This is not a difficult attack: it is an attack of a different category, well beyond the reach of someone exploiting a universal root password.

It's worth comparing. Yarbo, according to the published research, exposed its devices and ran a full Linux operating system with universal root access, shared credentials, active administration servers. Once inside one, the attacker had at hand the entire toolkit of a mature Unix system in which to move, pivot, exfiltrate. In Volta's design, that toolkit isn't there to use. The Lawn Companion™ firmware is a minimal stack, built on the principle that any binary not strictly necessary to the product's function is a binary that should not exist on the device. No remote shell, no administration server, none of what an attacker would use as a first step after getting in.

It is the same logic as the LiDAR and the camera, applied to software: you don't carry on board what you don't need. Not because it could be used badly — but because it exists. An attack surface that does not exist is an attack surface that cannot be exploited. It is not a reinforced door: it is a door that was never built, in a room that has no handle, in a house that has no key.

4. The data that leaves the device is only agronomic — by geometry, not by filter

Here there's a nuance worth being precise about, because it's exactly where the difference between a privacy promise and a privacy architecture is played out.

Lawn Intelligence™ works by analyzing images of the turf surface. To train and refine the models that recognize diseases, nutrient deficits, weed presence, water stress, and to improve the biological map of the yard, some images are in fact uploaded to the cloud. It would be dishonest to say otherwise. That's how it works, it has to work, to do what it does.

But those images are — by physical construction — scans of the turf surface, not scans of the environment. The camera, by the geometry we have already described (oriented downward, twenty-three degrees of horizontal opening, no LiDAR, no sensor aimed at the horizon), cannot capture anything that is not the ground under the wheels. What reaches Volta's servers are frames of grass: texture, density, color, growth rate, any pathogens or weeds recognizable from above. Not faces. Not windows. Not interiors. Not profiles of who walks through the gate. Not because a software filter removed them — but because the camera, physically, never saw them.

It is the same Privacy by Physics™ applied at the data layer rather than only at the sensor layer: the constraint that prevents the camera from seeing what it shouldn't is the same constraint that prevents those images from ever, in any case, containing privacy-sensitive data. Even a hypothetical complete exfiltration of Volta's cloud archive would yield a huge dataset of lawn images. Nothing more.

There is no audio (there is no microphone on board). There is no 3D scan of the environment (there is no LiDAR on board). There is no continuous video stream of the field of view (it is not a supported channel). What there is — agronomic frames of the surface — is exactly what Lawn Intelligence™ needs to do its job, and not a gram more.

This choice is not economical. It means giving up an entire class of functionality that less scrupulous competitors sell as features: facial recognition of guests, 3D yard mapping for AR, outdoor "voice assistants," recognition of animals and people as "intelligent" obstacle avoidance. Volta gave all of this up. Not because it was not technically feasible — it would have been easy. But because each of those functions would have required carrying on board sensors capable of seeing what they should not see. And those sensors, once on board, would have become the first target of anyone who got into the system.

5. Where the data lives — and whose jurisdiction governs it

The Yarbo case put back at the center a question many consumers never ask themselves: where does the data my device generates end up? In the Yarbo case the answer — even according to The Verge's reporting — is opaque: a company that declares itself in New York but operates out of Shenzhen, telemetry that in some cases traveled to servers controlled by ByteDance.

In Volta the answer is explicit and architectural. The data resides exclusively on Western cloud infrastructure, on servers located in the United States and the European Union — both jurisdictions with recognized data-protection frameworks. No transfer to jurisdictions outside the US/EU axis. No third-party advertising SDKs. No data brokers. Cloud and AI inference run on Western infrastructure. Volta Lawn Intelligence Inc. is a U.S. company based in Miami, FL, and it is the same entity that designs, operates, and is legally accountable for the service. There is no jurisdictional ambiguity, because there is no distance between who sells the product and who holds the data.

6. Vision-primary navigation — GPS spoofing does not move the robot

There is a category of attack that, we can safely bet, was never even considered in the Yarbo design: GPS spoofing. That is, the transmission of counterfeit GNSS signals that make the receiver believe it is somewhere other than where it actually is.

Until a few years ago this was a military-grade threat — superyachts hijacked in the Mediterranean, drones pushed out of their flight corridors. Not anymore. SDR transmitters capable of spoofing cost a few hundred dollars, the software is open source, the tutorials are on YouTube. It is an attack technique no longer prohibitive, within reach of a motivated local attacker — a neighbor, someone who wants to make trouble, someone who wants to push the robot outside its perimeter to steal it, someone who wants to put it in the road.

For most robotic lawn mowers of the current generation — those that rely on GNSS / RTK as the primary navigation system — this is a very-high-impact scenario. Spoofing the GPS means, in practice, telling the robot where it is. A robot convinced it is ten meters to the left of where it really is will cut where it should not, leave the geofence without noticing, end up in the street in front of the house, cross the neighbor's yard, crush a flowerbed, run over a cat. All of this without the firmware authentication being violated, without the cloud credentials being stolen. It is enough to disturb a radio signal from outside.

Volta addresses this risk structurally, because it does not use GPS as the primary navigation system. The primary system is the vision of the turf surface beneath the wheels. The camera analyzes the surface in real time, recognizes the texture, density, color of the grass, and distinguishes lawn from everything that is not lawn — asphalt, gravel, packed soil, sidewalk. It is the same capability protected by our U.S. patent Method for controlling a soil working means based on image processing — the foundation of the product, not an accessory feature.

This means that under GPS loss, GPS denial, or GPS spoofing, the Lawn Companion™ does not get disoriented: it continues to see what is beneath it and stays on the turf surface. If the GNSS signal says one thing and the camera sees another, the camera is right. A spoofing attack can confuse the geographic position the robot logs, but it cannot persuade the robot to leave the lawn. Because it is looking at the lawn, not trusting a radio signal coming from outside.

It is an architectural property that, again, reflects the same principle as the rest of the product: never trust a single external signal that can be manipulated from outside. It applies to credentials ("not one password for all"), it applies to the cloud ("not an always-open tunnel"), it applies to data ("not on someone else's servers"). And it applies to positioning: the robot knows where it is because it sees where it is, not because it is told.

Architecture before specifications

The six above are choices of architecture. They are not features, not options, not service tiers. They are how the system is put together, and they define what is possible — and what, simply, is not — long before any technical security measure comes into play.

On top of the architecture sit the operational controls one expects of a mature cloud service: encryption, authentication, verified updates, vulnerability lifecycle management. They are important — but they are the layer that sits above, not the one that carries the weight. The difference between Volta and the Yarbo case is not played out there: it is played out in the six choices made first.

For those who want to go deeper: the Privacy Architecture whitepaper and the Privacy & Cybersecurity section are on the website.

What actually changes

There is a point of industrial philosophy underneath all of this. The question is not "are you secure?". The question is "what is your security made of?".

If a product's security is a layer applied over an otherwise permeable architecture, every new vulnerability requires a new patch, every new patch arrives after the incident, and the company spends its life chasing researchers and bug bounty hunters. It works, until it doesn't — and when it doesn't, the physical consequences are irreversible.

If, instead, security is in the architecture — in the form of the camera, in the structure of credentials, in the absence of a persistent tunnel, in the fact that what leaves the device can only be turf surface, in the jurisdiction the servers sit in, in the view of the lawn as the only source of truth on position — then entire categories of attack become non-buildable, not just improbable. One can argue this architecture is more expensive, slower to build, less convenient. Probably yes, on all three fronts.

But with an autonomous powered vehicle with rotating blades, which enters and leaves someone's home every day, which sees what it sees and knows what it knows — this is not a toy.

It is not a toy for the people who can be hurt. It is not a toy for the families whose data can be exfiltrated. It is not a toy for the neighbors who never gave consent. And it is not a toy, if even a small percentage of those robots ends up near the wrong place, for national security.

This is why Volta was designed the way it was designed, from the very first system diagram. By a company born in Italy, raised inside the strictest privacy regulation in the world, which chose — chose — to put fewer sensors, not more, on a device that enters someone's home. And it is why it will continue to be.