Hard-Coded MQTT Credentials Enable Global Robot Fleet Access

The Yarbo Android and iOS applications contain hard-coded MQTT broker credentials that are identical for all users and all devices. These credentials are embedded in the application binary and are readily extractable via APK decompilation. The credentials provide access to cloud MQTT brokers carrying real-time telemetry for the entire global Yarbo robot fleet. They allow both wildcard subscription to all robot telemetry topics and publishing to any robot's command topic using only the robot's serial number.

Casky was already ahead

This CVE exploits attack patterns that Casky's 215matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.

Analysis

The Yarbo mobile applications (iOS and Android) embed identical MQTT broker credentials directly in the application binary, making them trivially extractable through APK decompilation. These credentials grant unauthorized access to cloud MQTT brokers handling real-time telemetry for Yarbo's entire global robot fleet. Any attacker can subscribe to all robot telemetry topics to intercept sensitive operational data, or publish commands to any robot by knowing only its serial number. This represents a critical supply chain risk affecting all users and devices, with CVSS 9.8 severity reflecting the ease of exploitation and broad blast radius across the customer base.

Casky's Claude-powered analysis maps this vulnerability to CWE-798 (Use of Hard-Coded Credentials) under MITRE ATT&CK's TA0006 (Credential Access) tactic. Practitioners using Casky's 215 matching skills would identify attack patterns including: credential extraction from mobile binaries (T1555.1), lateral movement post-compromise (T1570), and command execution on IoT devices (T1648). The platform's extended reasoning would flag the attack chain: decompilation → credential recovery → MQTT broker authentication → wildcard topic subscription → fleet-wide reconnaissance or command injection. Findings would surface the specific IoT/embedded risks unique to mobile-connected robotics, enabling teams to prioritize patching and credential rotation before adversaries weaponize this high-confidence exploit path.

Live Threat IntelligenceComing soon

Casky Risk Score

—

EPSS Probability

—

Shodan Exposure

—

GreyNoise Signal

—

Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →

215 Casky skills cover this attack pattern

These skills use Claude AI's reasoning model to surface findings in the same attack categories as CVE-2026-10557.

analyzing-cloud-storage-access-patterns

cloud security · low

Run

analyzing-malicious-url-with-urlscan

phishing defense · medium

Run

analyzing-office365-audit-logs-for-compromise

cloud security · low

Run

MITRE ATT&CK Techniques

TA0006

Investigate the attack patterns behind CVE-2026-10557

Casky has 215 skills that investigate the attack patterns behind CVE-2026-10557. Run one and get CVSS-scored findings in 3 minutes.

Run the skill that detects this →

X Instagram LinkedIn