---
title: "Critical Flaws in Yarbo App Expose Robot Fleets to Cyberattacks"
short_title: "Yarbo app vulnerabilities expose robot fleets"
description: "Two critical vulnerabilities in Yarbo's Android/iOS app and cloud infrastructure allow attackers to access hard-coded credentials, telemetry data, and control robot fleets. Update now to secure your devices."
author: "Vitus"
date: 2024-10-02
categories: [Cybersecurity, Vulnerabilities]
tags: [yarbo, mqtt, hard-coded-credentials, cve-2026-10557, cve-2026-7368]
score: 0.92
cve_ids: [CVE-2026-10557, CVE-2026-7368]
---
## TL;DR
Two critical vulnerabilities in the Yarbo Android/iOS mobile app and cloud infrastructure expose hard-coded credentials and lack proper authorization controls. Attackers can access real-time telemetry data and send operational commands to entire robot fleets worldwide. Yarbo has released an update (v3.17.4) to mitigate these risks—users must update immediately to prevent exploitation.
Main Content
### Introduction
Smart home and robotic technologies are transforming convenience and automation, but they also introduce new cybersecurity risks. Yarbo, a leading provider of robotic solutions, has recently disclosed two critical vulnerabilities in its Android/iOS mobile application and cloud infrastructure. These flaws could allow attackers to extract hard-coded credentials, access sensitive telemetry data, and even control entire robot fleets. With deployment spanning worldwide, the implications of these vulnerabilities are far-reaching and demand immediate attention.
### Key Points
- Hard-coded credentials in the Yarbo app allow attackers to access cloud MQTT brokers carrying real-time telemetry data for all Yarbo robots globally.
- Missing authorization controls enable attackers to publish commands to any robot using only its serial number, even after credentials are updated.
- Critical CVSS scores of 9.8 (CVE-2026-10557) and 8.1 (CVE-2026-7368) highlight the severity of these vulnerabilities.
- Yarbo has released an update (v3.17.4) to address these issues, but users must act now to secure their devices.
Technical Details
#### CVE-2026-10557: Use of Hard-Coded Credentials
The Yarbo Android and iOS applications contain hard-coded MQTT broker credentials that are identical for all users and devices. These credentials are embedded in the app binary and can be extracted via APK decompilation. Once obtained, they provide access to:
- Real-time telemetry data for the entire global Yarbo robot fleet.
- Wildcard subscription to all robot telemetry topics.
- Publishing capabilities to any robot's command topic using only its serial number.
This flaw exposes sensitive data and allows unauthorized control over connected devices.
#### CVE-2026-7368: Missing Authorization
The Yarbo cloud infrastructure lacks per-device or per-user authorization controls. This means:
- Any client with valid credentials—whether hard-coded or legitimate—can subscribe to wildcard topics covering all robots globally.
- Attackers can publish commands to any robot using only its serial number, which is disclosed in the telemetry stream.
- Even after removing hard-coded credentials, a single compromised credential could provide fleet-wide access due to the absence of access controls.
### Impact Assessment
The exploitation of these vulnerabilities could have severe consequences:
1. Unauthorized Access: Attackers can gain control over Yarbo robots, potentially disrupting operations or causing physical harm.
2. Data Exposure: Real-time telemetry data, including location and operational metrics, could be intercepted and misused.
3. Fleet-Wide Compromise: The lack of proper authorization means a single breach could expose all connected robots globally.
4. Reputation Damage: Users may lose trust in Yarbo’s security measures, impacting the company’s market position.
Given the worldwide deployment of Yarbo robots, the potential for large-scale exploitation is significant.
### Mitigation Steps
Yarbo has released an update to address these vulnerabilities. Users and organizations must take the following steps immediately:
- Update the Yarbo Mobile App: Ensure the app is updated to version 3.17.4 or later via the Google Play Store or Apple App Store.
- Server-Side Fixes: Yarbo will enforce server-side broker authorization automatically with the May 2026 update. No additional user action is required.
- Network Security: Minimize network exposure for all control system devices. Ensure they are not accessible from the internet.
- Firewall Protection: Locate control system networks and remote devices behind firewalls and isolate them from business networks.
- Secure Remote Access: Use Virtual Private Networks (VPNs) for remote access, ensuring they are updated to the latest version.
- Monitor for Suspicious Activity: Organizations should monitor for signs of malicious activity and report any incidents to CISA or relevant authorities.
### Affected Systems
The following Yarbo products and versions are affected:
- Yarbo Android/iOS Mobile Application: Versions prior to 3.17.4.
- Yarbo Cloud MQTT Infrastructure: All versions (until the May 2026 server-side update is deployed).
## Conclusion
The discovery of these critical vulnerabilities in Yarbo’s mobile app and cloud infrastructure underscores the importance of secure coding practices and robust authorization controls in IoT and robotic systems. While Yarbo has taken steps to mitigate these risks, users must update their apps immediately and follow recommended security practices to protect their devices.
As smart home and robotic technologies continue to evolve, so too must the security measures that safeguard them. Organizations and users alike must remain vigilant to prevent exploitation and ensure the safety of their connected devices.
## References
[^1]: CISA. "ICSA-26-162-01: Yarbo Android/iOS Mobile Application and Cloud Infrastructure". Retrieved 2024-10-02.
[^2]: MITRE. "CWE-798: Use of Hard-coded Credentials". Retrieved 2024-10-02.
[^3]: MITRE. "CWE-862: Missing Authorization". Retrieved 2024-10-02.