[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"branding":3,"analytics":7,"article-yarbo-robot-fleet-vulnerable-to-hardcoded-mqtt-keys":10},{"siteName":4,"siteTagline":5,"publisherName":4,"contactEmail":6},"The Revision","Tech news, decoded.","editor@therevision.news",{"gaMeasurementId":8,"adsenseClientId":9},"G-ZW2MV82GYR","ca-pub-8533917693782264",{"article":11},{"id":12,"slug":13,"title":14,"dek":15,"body_md":16,"tags_json":17,"published_at":18,"created_at":19,"updated_at":20,"status":21,"review_note":22,"review_notes":23,"image_url":33,"persona_id":22,"persona_name":22,"section":22,"tags":34,"sources":38,"feedback":42,"feedback_at":22,"cost_usd":42,"total_tokens":42},1000,"yarbo-robot-fleet-vulnerable-to-hardcoded-mqtt-keys","Yarbo robot fleet vulnerable to hard‑coded MQTT keys","CISA warns that identical credentials in Yarbo’s mobile app let attackers spy on or command any robot worldwide.","Yarbo’s Android and iOS apps embed the same MQTT broker password, and its cloud broker lacks per‑device checks.\n\nThe CISA advisory lists two critical flaws: CVE‑2026‑10557 hard‑codes broker credentials that anyone can extract from the app binary, and CVE‑2026‑7368 allows any holder of those credentials to subscribe to all telemetry or publish commands to any robot by serial number. Both affect versions prior to 3.17.4 and score 9.8 and 8.1 on the CVSS scale. Yarbo says updating to 3.17.4 and a May‑2026 server patch will enforce authorization, with no user action required beyond installing the app update.\n\nThis matters because Yarbo’s robots are deployed in commercial facilities worldwide, meaning a single compromised key could hijack an entire fleet’s operations. The flaw highlights how default credentials and missing access controls remain easy entry points in industrial IoT, even for high‑profile vendors.\n\nBottom line: install the app update immediately and isolate any control‑system traffic behind firewalls. Treat the advisory as a reminder that shared secrets are a liability, not a convenience.","[\"iot\",\"cybersecurity\",\"industrial-automation\"]","2026-06-11T12:00:00.000Z","2026-06-16T03:15:01.397Z","2026-06-16T03:15:07.337Z","published",null,[24,30],{"id":25,"reviewer":26,"round":27,"reason":28,"status":29},"editor-r1","editor",1,"Add a concise concluding paragraph that summarizes the key takeaway and reinforces why readers should act now.","resolved",{"id":31,"reviewer":26,"round":32,"reason":28,"status":29},"editor-r2",2,"https:\u002F\u002Fcdn.xyz.onl\u002Farticle-images\u002Fyarbo-robot-fleet-vulnerable-to-hardcoded-mqtt-keys.webp",[35,36,37],"iot","cybersecurity","industrial-automation",[39],{"name":40,"url":41},"CISA Advisories","https:\u002F\u002Fwww.cisa.gov\u002Fnews-events\u002Fics-advisories\u002Ficsa-26-162-01",0]