Yarbo Android/iOS Mobile Application and Cloud Infrastructure
Summary
Yarbo's Android/iOS mobile application and cloud infrastructure contain critical vulnerabilities, including the use of hard-coded credentials and missing authorization. Successful exploitation could allow an attacker to access telemetry data, obtain hard-coded credentials, and send operational commands to the robot fleet. Yarbo recommends updating the mobile application to version 3.17.4 or later, with server-side authorization enforcement expected in the May 2026 update.
IFF Assessment
The article details severe vulnerabilities in a critical infrastructure system that could be exploited for data access and control, posing a significant risk to defenders.
Severity
The CVSS score of 9.8 reflects the critical nature of the vulnerabilities, which involve hard-coded credentials and missing authorization, allowing for widespread access to telemetry and control over the robot fleet. The attack complexity is low, and the impact on confidentiality, integrity, and availability is high.
Defender Context
This alert highlights the significant risks associated with hard-coded credentials and improper authorization in IoT devices, particularly those used in critical infrastructure. Defenders should prioritize patching and implementing robust access controls for any connected devices and closely monitor for indicators of compromise related to unauthorized telemetry access or command injection.