I am writing this specifically because the issues raised in the latest security report deserve an honest, not corporate, response.
On May 7, 2026, security researcher Andreas Makris published a detailed report identifying major vulnerabilities in Yarbo’s remote diagnostics, information management, and data management systems. The key technical findings are accurate. I would like to thank Mr. Andreas Makris for his work in identifying these issues and his persistence in bringing them to our attention. I also realize that our initial response did not adequately reflect the seriousness of the issues he identified. As a co-founder, I am responsible for what is posted about our products, and I am responsible for the feedback.
Our engineering, product, legal, and customer teams are working on fixes as a top priority. What follows is my account of what we found, what we’ve already fixed, what we’re working on, and what we’re committed to changing in the way we work going forward.
Based on our initial review, the issues are primarily related to historic design choices in Yarbo’s diagnostic components, access management, and data management systems.
Specifically, some legacy backup and storage capabilities did not provide users with sufficient visibility or control, and some authentication and credential management methods did not meet the security standards we expect from today’s products.
We also identified areas where access permissions, backend system configuration, and data flows between devices and cloud services require strong security and controls.
We recognize the seriousness of these issues and the concerns they may cause to our customers and the public. We deeply apologize for the impact this situation has caused, and we are committed to dealing with these issues in a transparent and honest manner.
We strengthen system security by reducing legacy access paths, tightening permissions, and moving to fully auditable device-level authentication. To make our repair progress clear, we separate the actions that have been taken from the work that is currently in progress.
What We’ve Already Done
What We’re Working On Now
Historical servers and legacy access channels will continue to be phased out one by one as part of this maintenance process.
We also expedite OTA security updates and additional server-side protection. The first wave of updates is expected to start rolling out within one week. Important: A security firmware update is pushed to all Yarbo devices. To receive this update, please connect your Yarbo to the Internet. Once the update is applied, you can return to your preferred network settings. If you choose to keep your device offline for now, you can do so without voiding your warranty or service coverage. We’ll let you know when the update is ready so you can connect briefly to use it.
This maintenance effort is not limited to a single fix or software update. We use this process to strengthen the long-term security architecture and management standards of our products.
These efforts include strengthening access control standards, improving authentication and authorization models, increasing user visibility and controlling remote diagnostic features, and further reducing unnecessary legacy support mechanisms across all associated systems and infrastructure.
We will continue to expand our internal security review, maintenance, and management processes to support strong long-term security practices going forward. Our mission is to ensure that security, transparency, and user trust are built into the foundation of Yarbo’s future programs and services.
Some items in the external report describe real security issues, while others need to be clarified because they do not apply to Yarbo’s currently shipped products or do not represent an independent security risk.
FRP-Auto-Restart and Persistence
The report also mentions that the FRP client may resume scheduled operations or service recovery procedures. We acknowledge that this can make manually disabling remote access channels more difficult, but the main problem is still the existence, permissions, and policy of the remote tunnel itself. Our fixes focus on disabling or restricting tubes, whitelisting and auditing, and removing unnecessary remote access methods.
File Monitoring and Self Recovery
The report mentions file monitoring behavior that can restore certain deleted files or services. This device was originally designed as a protective reliability measure to prevent important service files from being accidentally deleted or corrupted. By itself, it was not intended to function as a remote access feature.
That said, we recognize that any approach that makes remote access-related components difficult for users to remove would raise trust concerns. We review which files should remain protected and which components should be removed, simplified, or placed under user control.
Historical or Non-Production Editing
Some acquisitions involve legacy infrastructure, legacy cloud services, vendor-specific customizations, or internal test setups. These are still being updated and refined where necessary, but should be separated from the default behavior of currently deployed production units.
Our goal is precision: we won’t minimize confirmed security issues, but we also want users to understand which findings apply to production devices, which apply only to historical or customized configurations, and which are considered part of broader resilience efforts.
To improve security reporting in the future, we are introducing a dedicated security response channel and a security communication process for vulnerability reports and responsible disclosure:
security@yarbo.com
The public will also be able to find our security contact information on the Yarbo Security Center page under the “Explore” section of our official website.
We are also exploring the possibility of establishing a formal bug bounty program as part of our comprehensive long-term security plans.
We appreciate the role that independent security researchers play in proactively identifying potential problems, and we remain committed to strengthening the security, transparency, and reliability of our products.
As investigative and corrective work continues, I will provide additional updates as they become available.
Kenneth Kohlmann
Founder Yarbo
New York
