Every Yarbo robot globally shares the same MQTT credentials — hard-coded into the Android and iOS app binaries, identical for all users and all devices. Extract them via APK decompilation, and you get wildcard access to real-time telemetry from the entire fleet and the ability to publish commands to any robot using nothing but its serial number.
Reading the CISA advisory from June 11, 2026, I had to double-check the date. This isn't a 2015 IoT horror story; it's a current vulnerability set with a CVSS 9.8 (CVE-2026-10557) for the credential issue and CVSS 8.1 (CVE-2026-7368) for missing authorization. Markus Lassfolk of Truesec found both.
Hard-Coded Credentials: The Same Keys for Every Robot
The Yarbo app ships MQTT broker credentials embedded in the binary. No per-user derivation, no per-device secrets — just static strings. Any client that presents these credentials is accepted by the cloud MQTT brokers serving telemetry for the entire global Yarbo robot fleet. That means an attacker can subscribe to all robot topics (telemetry, status, location) and publish to any robot's command topic just by knowing its serial number, which the telemetry stream conveniently discloses.
Yarbo's cloud infrastructure never checked whether a client had permission to control a specific robot. Once you had valid credentials — even the shared hard-coded ones — you could send operational commands to any unit.
Missing Authorization: One Compromised Account Controls the Fleet
Even if Yarbo removes the hard-coded credentials from future app versions, the second vulnerability (CVE-2026-7368) means a single legitimate user credential could still be abused for fleet-wide access. The cloud lacks per-device or per-user authorization on MQTT topics. Any authenticated client can subscribe to wildcard topics covering all robots and publish to command topics using only the serial number.
This is a textbook case of treating credentials as a blanket authorization token instead of enforcing fine-grained access controls. The combination of shared static credentials and no authorization logic turns any leaked token into a master key.
The Fix and What It Reveals
Yarbo recommends updating the mobile app to version 3.17.4 or later. Server-side broker authorization will be enforced automatically upon deployment of the May 2026 update — no user action required. That's the right response: remove the hard-coded credentials from the binary and enforce per-device authorization on the broker side.
What this episode underscores is how fragile IoT security remains when vendors ship identical credentials in client binaries and treat MQTT topics as a free-for-all. Yarbo's fix addresses the immediate hole, but the architectural lesson — never trust the client, always authorize per device — applies to every connected product shipping today.
Source: Yarbo Android/iOS Mobile Application and Cloud Infrastructure
Domain: cisa.gov
Comments load interactively on the live page.