Rabbit R1's code vulnerability allegedly leaves user data unprotected
The Rabbit R1, an artificial intelligence (AI) assistant device, has reportedly been found to have a security flaw that exposes user data. This was revealed by Rabbitude, which is a community-formed reverse engineering project for the Rabbit R1. The team discovered "several critical hardcoded API keys" in the device's codebase, which could potentially allow anyone to access all responses ever given by the device, including those containing users' personal information.
API keys could manipulate device functionality
The API keys discovered by Rabbitude could be used to disable the R1 devices, alter their responses, and even change the device's voice. These keys authenticate users' access to various services on the device, including ElevenLabs's text-to-speech service, Azure's speech-to-text system, and Google Maps for location lookups. According to a tweet from a Rabbitude member, Rabbit has been aware of this issue for a month but "did nothing to fix it."
Rabbit responds to allegations of data breach
In response to the allegations, Rabbit stated that it was only informed of an "alleged data breach" on June 25 and immediately began investigating. The company claimed that they are currently not aware of any customer data being leaked or any compromise to their systems. While promising to provide updates if they learn of any other relevant information, Rabbit did not comment on whether they revoked the keys that Rabbitude claimed to have found in their code.
Rabbit R1's functionality and user reviews
The Rabbit R1 is a standalone AI assistant gadget designed by Teenage Engineering. It is intended to assist users with tasks such as placing food delivery orders and quickly looking up information like the weather. Despite its intended functionality, the device has received low scores in reviews due to its often malfunctioning AI capabilities.
