I’m writing this directly because the issues raised in the recent security report deserve a direct response, not a corporate response.
On May 7, 2026, security researcher Andreas Makris published a detailed report identifying serious vulnerabilities in Yarbo’s remote diagnostic, credential management, and data-handling systems. The main technical findings are accurate. I would like to thank Mr. Andreas Makris for his work in identifying these issues and his persistence in bringing them to our attention. I also recognize that our initial response did not adequately reflect the seriousness of the issues they identified. As co-founder, I’m accountable for what’s shipped on our products, and I’m accountable for the feedback.
Our engineering, product, legal, and customer support teams are working on remediation as a top priority. What follows is my overview of what was found, what we have already fixed, what we are actively fixing, and what changes we are committed to making in our operations going forward.
Based on our initial review, the issues primarily relate to historic design choices in parts of Yarbo’s remote diagnostic, access management, and data handling systems.
In particular, some legacy support and maintenance capabilities did not provide users with sufficient visibility or control, and some authentication and credential management mechanisms did not meet the security standards we expect for today’s products.
We have also identified areas where stronger security and strict controls are required for access permissions, backend system configuration, and data flows between devices and cloud services.
We recognize the seriousness of these issues and the concerns they cause for our customers and the community. We sincerely apologize for the impact this situation has caused, and we are committed to addressing these issues in a transparent and responsible manner.
We are strengthening system security by reducing legacy access paths, tightening permissions, and moving toward fully auditable device-level credentials. To clarify our remediation progress, we are separating actions already taken from work that is currently in progress.
what have we already done
What are we working on now
As part of this improvement process, historic servers and legacy access channels will continue to be phased out one by one.
We’re also accelerating OTA security updates and additional server-side security. The first wave of updates is expected to roll out within a week. Important: A security firmware update is being pushed to all Yarbo devices. To receive this update, please connect your Yarbo to the Internet. Once the update is applied, you can return to your preferred network settings. If you prefer to take your device offline in the meantime, you can do so without affecting your warranty or service coverage. We will notify you when the update is ready so you can connect briefly to apply it.
This remediation effort is not limited to a single fix or software update. We are using this process to strengthen the long-term security architecture and governance standards behind our products.
These efforts include strengthening access control standards, improving authentication and authorization models, increasing user visibility and control over remote clinical facilities, and reducing unnecessary legacy support mechanisms in related systems and infrastructure.
We will also continue to expand our internal security review, improvement and governance processes to support strong long-term security practices going forward. Our goal is to ensure that security, transparency and user trust are built into the foundation of future Yarbo systems and services.
Some items in the external report describe actual security issues, while others require clarification because they do not apply to currently shipped Yarbo products or do not represent independent security vulnerabilities.
FRP auto-restart and persistence
The report also mentions that the FRP client may restart through scheduled tasks or service recovery mechanisms. We acknowledge that this may make it more difficult to manually disable remote access channels, but the main issue lies in the existence, permissions, and policy of the remote tunnel. Our solution focuses on disabling or restricting tunnels, introducing allowlists and auditability, and removing unnecessary persistent remote access paths.
File monitoring and self-recovery
The report mentions file monitoring behavior that may restore some deleted files or services. This mechanism was originally designed as a defensive reliability measure to protect critical service files from being accidentally deleted or corrupted. In itself, it was not intended to function as a remote access facility.
That said, we believe that any mechanism that makes it difficult for users to remove remote-access-related components could raise trust concerns. We are reviewing which files should be protected and which components should be removed, simplified, or placed under user control.
Historical or non-production configuration
Some findings include historical infrastructure, legacy cloud services, dealer-specific customizations, or internal test configurations. These are under review and being cleaned up where necessary, but should be distinguished from the default behavior of currently shipped production units.
Our goal is to be precise: we will not minimize confirmed security issues, but we also want users to understand which findings apply to production devices, which apply only to historical or optimized configurations, and which are being addressed as part of broader hardening efforts.
To improve security reporting in the future, we are launching a dedicated security response channel and security contact process for vulnerability reports and responsible disclosure:
security@yarbo.com
The public will also be able to find our security contact information on the Yarbo Security Center page under the “Explore” section of our official website.
We are also exploring the possibility of establishing a formal bug bounty program as part of our broader long-term security initiatives.
We appreciate the role of independent security researchers in responsibly identifying potential issues, and we are committed to strengthening the security, transparency, and reliability of our products.
As testing and remediation work continues, I will provide further updates as they become available.
kenneth kohlmann
Co-Founder, Yarbo
new york
<a href