Vulnerable Robotic Lawn Mower Opens the Door to a New Nightmare

Cramming for finals is challenging enough without the platform you rely on for schoolwork unexpectedly going offline. Unfortunately, many students across the US encountered this situation on Thursday when Canvas entered “maintenance mode” due to a ransomware attack on education tech company Instructure. Hackers identifying themselves as ShinyHunters took responsibility for the breach. Experts indicate that the turmoil they caused highlights the lengths to which these individuals will go to extort their targets.

Did you know Google Chrome automatically downloads the Gemini Nano AI model? If you’re unaware, you’re not alone. Many users of Google’s immensely popular browser discovered this week that Gemini Nano has been occupying 4 GB of space on their computers since 2024, raising concerns about privacy and causing some frustration. Luckily, you can turn off the AI model, although this might mean sacrificing valuable security features. Of course, switching to a different browser is also an option.

This week, researchers disclosed that thousands of vibe-coded applications were left vulnerable on the open internet, exposing sensitive corporate and personal information. These security shortcomings serve as a reminder: just because something can be vibe-coded doesn’t imply it should be.

The Department of Homeland Security has subpoenaed Google in an effort to obtain the location data and account activity of a Canadian individual who criticized US immigration enforcement methods following the killings of Renee Good and Alex Pretti in Minneapolis earlier this year. In response, the American Civil Liberties Union has filed a complaint against DHS on behalf of the man, who has not visited the US in over a decade.

Scammers, low-tier hackers, and various cybercriminals are now part of a collective seeking to escape from AI riffraff, according to recent findings. Meanwhile, Meta is enhancing its age-verification technology after a report revealed that children are cleverly bypassing online age checks with simple tricks—such as one child who fooled the system by drawing on a fake mustache. Additionally, we outlined Russia’s strategy to develop a local competitor to Starlink’s satellite internet service, complete with all the associated privacy and security worries.

And there’s more to cover. Every week, we compile security and privacy news that didn’t receive extensive coverage. Click the headlines for full articles, and remember to stay safe out there.

Most people assume that the 200-pound robot with blades in their yard is not easily hackable. Unfortunately for the owners of Yarbo, a $5,000 lawn mower robot that also functions as a leaf blower, snowblower, and edger, this was not the case. The Verge reports that a security researcher identified multiple vulnerabilities in the lawn robots, allowing potential hackers to remotely take control of these devices (including accessing their camera feeds) and retrieve owners’ email addresses, Wi-Fi passwords, and home locations.

Following a statement from a Yarbo spokesperson confirming that the robots’ “diagnostic environment is not publicly accessible,” the researcher and reporter demonstrated the security flaws in action by nearly running over the journalist with a hijacked robot. In response, the company has indicated that it is working on a fix for at least one of the vulnerabilities identified by the researcher.

Mark Zuckerberg’s Meta has withdrawn support for end-to-end encryption in Instagram messages, reversing its initiative to enhance user privacy by enabling messaging that the company could not monitor. The service stopped offering encryption on Instagram on May 8, making it technically easier for the company to access direct messages.

After years of developing the encryption systems necessary to secure its messaging apps, Meta announced in 2023 that it had implemented default encryption for Messenger. The company also stated it was launching an opt-in version for Instagram, which was intended to eventually become the standard setting. However, that day never arrived, as Meta decided in March of this year that the opt-in rate was insufficient and chose to remove the encryption option for Instagram chats. This reversal has angered privacy and security advocates, who worry that it could undermine end-to-end encryption efforts globally.

The Trump administration introduced a new counterterrorism strategy that President Donald Trump characterizes as a “return to common sense and Peace through Strength” in a foreword included in the document. According to the document, the three primary types of terrorist groups identified are cartels, Islamist terrorist organizations, and “violent left-wing extremists,” the memo asserting that this last category includes anarchists and anti-fascists, and espouses ideologies that are both “anti-American” and “radically pro-transgender.”

The memo pledges, “We will utilize all constitutionally available tools to map them domestically, identify their members, trace their connections to international organizations like Antifa, and employ law enforcement resources to disrupt their operations before they can harm or kill innocent people.”