Reading view

Tracking Iranian APT Screening Serpens’ 2026 Espionage Campaigns

Unit 42 details Screening Serpens' use of AppDomainManager hijacking and new RAT variants to target tech and defense sectors in recent campaigns.

The post Tracking Iranian APT Screening Serpens’ 2026 Espionage Campaigns appeared first on Unit 42.

  •  

Yarbo responds to robot flaws that could mow down their owners

A researcher found that Yarbo yard robots came with a host of vulnerabilities which, among others, allowed an attacker to harvest WiFi passwords.

Security researcher Andreas Makris found he could remotely hijack thousands of Yarbo yard robots worldwide, and proved it by having his mower run him over. The root cause was a cluster of “legacy” design choices: every robot shared the same hardcoded root password, remote tunnels were left open, and Message Queuing Telemetry Transport (MQTT) messaging was so weakly protected that once you had one device, you effectively had the worldwide fleet.

An attacker could pull GPS coordinates, email addresses, and Wi‑Fi passwords, turn cameras into remote spying tools, and even re‑arm the mower after someone hit the emergency stop. 

All of this was enabled by a persistent backdoor tunnel that users could neither see nor meaningfully control. The risks fell into three very different buckets:

  • A heavy mower with remotely controllable blades and an emergency stop that can be bypassed is a real-world safety hazard.
  • Exposed telemetry meant attackers could map where devices were, see who owned them, and in some reports even view camera feeds.
  • Network abuse through shared root credentials meant compromised robots could scan local networks, steal more data, or be folded into a botnet.

Yarbo’s public response is unusually detailed for a consumer Internet of Things (IoT) vendor. It’s also refreshingly blunt in admitting that the researcher’s core findings were accurate. The company temporarily disabled the remote diagnostic tunnels, reset root passwords, locked down unauthenticated endpoints, and began ripping out unnecessary legacy access paths.

More importantly, Yarbo promises structural changes:

  • Unique per‑device credentials.
  • Over-the-Air  (OTA) credential rotation.
  • Audited, allowlist‑based remote diagnostics.
  • Dedicated security contact, with a possible bug bounty to follow.

That is the sort of long‑term security hygiene we rarely see spelled out this clearly after an IoT fiasco.

From a disclosure and remediation standpoint, Yarbo is doing many things right: crediting the researcher, apologizing, prioritizing fixes, and explaining both short‑term patches and long‑term architectural changes in human language. For buyers of connected devices with blades, that level of transparency is a positive precedent.

But Yarbo has explicitly chosen to keep a remote access tunnel, although wrapped in better controls and logs, instead of offering users the option to remove or fully opt out of it.

How to secure IoT devices

The vulnerabilities uncovered in the Yarbo case present an almost a live-action demo of what the IoT Cybersecurity Improvement Act is trying to prevent in US government deployments. While the Act doesn’t apply to Yarbo directly, its National Institute of Standards and Technology (NIST)-driven requirements map neatly onto what went wrong here.

So, it’s still up to users to make sure you:

  • Change the default credentials.
  • Check if the vendor will make updates available and how easy it is to install them before buying an IoT product. And then install the updates when available.
  • If you can, put your IoT devices on a separate network. Use a guest Wi‑Fi or separate VLAN when available.
  • Disable what you don’t need. Turn off UPnP, remote access, cloud control, and unnecessary services if you’re not actively using them.
  • If your router or security suite logs connections from IoT devices, skim those logs for odd spikes or unknown destinations.

Let’s face it, an incognito window can only do so much. 
 
Breaches, dark web trading, credit fraud. Malwarebytes Identity Theft Protection monitors for all of it, alerts you fast, and comes with identity theft insurance. 

  •  

Yarbo responds to robot flaws that could mow down their owners

A researcher found that Yarbo yard robots came with a host of vulnerabilities which, among others, allowed an attacker to harvest WiFi passwords.

Security researcher Andreas Makris found he could remotely hijack thousands of Yarbo yard robots worldwide, and proved it by having his mower run him over. The root cause was a cluster of “legacy” design choices: every robot shared the same hardcoded root password, remote tunnels were left open, and Message Queuing Telemetry Transport (MQTT) messaging was so weakly protected that once you had one device, you effectively had the worldwide fleet.

An attacker could pull GPS coordinates, email addresses, and Wi‑Fi passwords, turn cameras into remote spying tools, and even re‑arm the mower after someone hit the emergency stop. 

All of this was enabled by a persistent backdoor tunnel that users could neither see nor meaningfully control. The risks fell into three very different buckets:

  • A heavy mower with remotely controllable blades and an emergency stop that can be bypassed is a real-world safety hazard.
  • Exposed telemetry meant attackers could map where devices were, see who owned them, and in some reports even view camera feeds.
  • Network abuse through shared root credentials meant compromised robots could scan local networks, steal more data, or be folded into a botnet.

Yarbo’s public response is unusually detailed for a consumer Internet of Things (IoT) vendor. It’s also refreshingly blunt in admitting that the researcher’s core findings were accurate. The company temporarily disabled the remote diagnostic tunnels, reset root passwords, locked down unauthenticated endpoints, and began ripping out unnecessary legacy access paths.

More importantly, Yarbo promises structural changes:

  • Unique per‑device credentials.
  • Over-the-Air  (OTA) credential rotation.
  • Audited, allowlist‑based remote diagnostics.
  • Dedicated security contact, with a possible bug bounty to follow.

That is the sort of long‑term security hygiene we rarely see spelled out this clearly after an IoT fiasco.

From a disclosure and remediation standpoint, Yarbo is doing many things right: crediting the researcher, apologizing, prioritizing fixes, and explaining both short‑term patches and long‑term architectural changes in human language. For buyers of connected devices with blades, that level of transparency is a positive precedent.

But Yarbo has explicitly chosen to keep a remote access tunnel, although wrapped in better controls and logs, instead of offering users the option to remove or fully opt out of it.

How to secure IoT devices

The vulnerabilities uncovered in the Yarbo case present an almost a live-action demo of what the IoT Cybersecurity Improvement Act is trying to prevent in US government deployments. While the Act doesn’t apply to Yarbo directly, its National Institute of Standards and Technology (NIST)-driven requirements map neatly onto what went wrong here.

So, it’s still up to users to make sure you:

  • Change the default credentials.
  • Check if the vendor will make updates available and how easy it is to install them before buying an IoT product. And then install the updates when available.
  • If you can, put your IoT devices on a separate network. Use a guest Wi‑Fi or separate VLAN when available.
  • Disable what you don’t need. Turn off UPnP, remote access, cloud control, and unnecessary services if you’re not actively using them.
  • If your router or security suite logs connections from IoT devices, skim those logs for odd spikes or unknown destinations.

Let’s face it, an incognito window can only do so much. 
 
Breaches, dark web trading, credit fraud. Malwarebytes Identity Theft Protection monitors for all of it, alerts you fast, and comes with identity theft insurance. 

  •  

Copyright Bullying vs. Religious Freedom

The government should not help a religious institution to punish or deter members from inquiring about their faith. Yet, once again, the Watch Tower Bible and Tract Society is trying to use flimsy copyright claims to exploit the special legal tools available to copyright owners in order to unmask anonymous online speakers. And, once again, EFF has stepped in to urge the courts not to give Watch Tower’s attempts the force of law, with the help of local counsel Jonathan Phillips of Phillips & Bathke, P.C.

EFF’s client, J. Doe, is a member of the Jehovah’s Witnesses who became interested in the history of the organization’s public statements, and how they’ve changed over time. They created research tools to analyze those documents and ultimately created a website, JWS Library, allowing others to use those tools and verify their findings through an archive that included documents suppressed by the church. Doe and others discovered prophecies that failed to come true, erasure of a leader’s disgrace, increased calls for obedience and donations, and other insights about the Jehovah’s Witnesses’ practices. Doe also used machine translation on a foreign-language document to help the community understand what the church was saying to different audiences and also to help understand potential changes in the organization’s attitudes towards dissent.

Within the church, dissent or even asking questions has often been punished by labeling members as apostates and ostracizing—or “disfellowshipping”— them. As a result, Doe and others choose to speak anonymously to avoid retaliation that could cost them family, friend, and professional relationships.

There is no law against questioning the Jehovah’s Witnesses. Instead, Watch Tower argues that Doe’s activities constitute copyright infringement and seeks to use the special process provided in the Digital Millennium Copyright Act (DMCA) to unmask them. It sent DMCA subpoenas to Google and Cloudflare, seeking information that would help them uncover Doe’s identity.

The problem for Watch Tower is that Doe’s research and commentary are clear fair uses allowed under copyright law. The First Amendment does not permit the unmasking of anonymous speakers based on such weak claims. Indeed, the First Amendment protects anonymous speakers precisely because some would be deterred from speaking if they faced retribution for doing so.

EFF stands with those who question the claims of those in power and who share the tools and knowledge needed to do so. We urge the judges in the Southern District of New York to quash these improper subpoenas and not allow copyright to be used to suppress important, legitimate speech.

  •  
❌