Security Remediation Progress Update Regarding Yarbo Remote Diagnostic Systems

This update provides a follow-up to our May 8, 2026 security advisory. Since that disclosure, our engineering and security teams have continued reviewing and remediating the identified issues, including additional findings shared with us through coordinated disclosure by security researcher Andreas Makris.
We are publishing this update to maintain transparency with our customers and the broader security community regarding the remediation measures and security improvements implemented to date.

Completed Remediation Actions

The following measures have been implemented and deployed across applicable systems and devices. Updates are delivered automatically once devices are connected to the internet, and customers do not need to take any manual action to receive them. The update process may take approximately 30 minutes to complete depending on network conditions and device status.

1. Rotation and replacement of historical device root credentials

  • Historical fleet-level root credentials previously associated with legacy maintenance workflows have been retired.
  • Replacement credentials have been generated and deployed as part of the remediation process.
  • Legacy credentials have been invalidated and are no longer used in current deployments or provisioning workflows.

2. Revocation of historical FRP remote-access credentials

  • Historical shared credentials associated with prior FRP-based remote support workflows have been revoked and destroyed.
  • Related FRP server-side connection paths and configurations have been disabled.
  • As a result, previously identified legacy FRP credentials can no longer be used to establish remote reverse SSH connections.

3. Removal of static access mechanisms from the mobile application

  • Updated versions of the Yarbo mobile application no longer contain static credentials or embedded access mechanisms capable of directly authenticating against backend services.

4. Removal of unnecessary scripts, legacy dependencies, and non-essential network configurations

  • Reporting scripts and telemetry components that no longer served a necessary operational or product function have been removed from firmware builds.
  • Legacy cloud-service dependencies no longer associated with active product functionality have been retired.
  • Non-essential third-party proxy paths and fallback DNS-related configurations have been taken offline or removed from active deployment environments.

Remediation in Progress

The following initiative is currently under active development and will be delivered in a subsequent update:
We are rebuilding our credential management system to replace any remaining shared-credential models with individually scoped, per-device credentials. Each credential will support independent rotation and revocation, ensuring that the compromise of any single device does not affect the broader fleet.
This work is intended to help prevent broad system exposure scenarios resulting from the compromise of any individual device or credential set.
Additional remediation and security-hardening updates will continue to be published through the Yarbo Security Center as relevant work progresses.

Yarbo Security Team