Ooof.
This seems bad. very bad. All robots, same root password, always enabled, all personal wifi passwords, home addresses, emails, all available to whoever can access the Yarbo network.
@Yarbo-Forum What’s the plan? We already knew about the unauthenticated MQTT access, but this is even more frightening.
Well now. Reminds me of the farm robot scene in the movie Runaway.
I’ve shut mine down for the time being.
Not sure but we’ll DEFINITELY need a very clear and targeted response addressing this exactly without any ambiguity, or sugar coating, in the response of what was patched/changed in direct response to the findings. @Yarbo-Forum
This is a big deal.
For sure watching this closely.
The only thing worse is Yarbo’s dismissive response to the heads-up. It’s a very very bad look.
I hope Yarbo resolves the vulnerabilities in short order and puts out an official statement to reassure their customer base.
Where is the response?
I don’t think the level 1 support fully understood what was being conveyed. I also didn’t see what the message was that was being conveyed either. They clearly left that out. 
I think at a minimum they need a formal vulnerability submittal process that bypasses the standard help desk escalation. Adding a bug bounty would be even better…as long as it’s taken seriously.
All I gotta say is THANK GOODNESS for the White Hats who discover and report on vulnerabilities like this. The alternative would be way worse.
I always enjoy working with my company’s PEN testers. Very impressive watching them try to break into the systems.
Don’t encode persistent root level passwords/logins in the firmware code is in the 101 security class. But, when you’re offshoring coding to CHINA where every piece of IP is stolen and/or reverse engineered, what should we really expect.
As a follow up, this isn’t accidental. They knew exactly what they were doing.
There’s a 50/50 chance that they simply hired a dev from Cisco. Or maybe Kia, lol. IYKYK
FYI the DC appears to proxy the core into whatever network the DC is jacked into. WiFi on the core is not needed. Expect to find the core on whatever PoE port you power the DC from.
Ugh. How do we unplug the network when we’re a week into waiting on a FSE support ticket.
I love how @Yarbo-Forum skips threads like trimmer shipping and now this security thread. Great job
Posting the Yarbo response here.
Hopefully the promised new authorization and “allowlist” systems stay secure
Hopefully that is only a temporary stop gap and there is a better long term strategy to follow.