Security Remediation Progress Update Regarding Yarbo Remote Diagnostic Systems (Phase II)

Since our May 8 security advisory, Yarbo has continued to strengthen the security of the communication link between our devices and backend services. In response to issues previously disclosed by an external security researcher, we have completed a second phase of security updates that further strengthen authentication and access controls on the messaging channel between devices and our backend.
The key updates included in this phase are outlined below.

1. Enhanced Authentication and Access Controls for Device Messaging Channels

We have implemented authentication and authorization controls for the real-time messaging channels between devices and cloud services, and introduced fine-grained topic-based access control mechanisms.
Devices and users may only send commands to and receive messages from devices they own or have been explicitly granted access to. Access to data associated with unauthorized devices is not permitted.

2. Device Connection Credential Upgrade

We have removed the shared connection credentials embedded in device firmware and replaced them with a device-specific credential model.
Each device now uses its unique device certificate to obtain dynamically issued credentials during the connection process. These credentials are no longer long-lived and are no longer shared across devices.

3. App Connection Credential Upgrade

The Yarbo mobile app no longer uses embedded shared connection credentials.
All connections are authenticated and authorized using identity credentials obtained after user sign-in, ensuring that operational permissions remain associated with the corresponding user account.

Update Information for Customers

This security update applies to the following versions:
  • Yarbo Device Firmware: 3.13.11
  • Yarbo App: 3.18.6
Please update your Yarbo App to the latest version and install available firmware updates when prompted to ensure these security enhancements are applied.
After the update is complete, your device will communicate with Yarbo cloud services using enhanced authentication and access control mechanisms without affecting normal functionality.

Ongoing Security Commitment

With the completion of this remediation phase, Yarbo has implemented the key security improvements outlined in response to the previously disclosed findings regarding historical remote diagnostic systems and related infrastructure components.
We appreciate the responsible disclosure efforts of the security community and the constructive engagement that helped identify opportunities for improvement.
Future security-related updates will continue to be published through the Yarbo Security Center.

Yarbo Security Team