A group of Rabbitude enthusiasts reverse-engineering the Rabbit R1 AI device has discovered a security issue in its code that could expose sensitive user information to the public.
Discovery of the Security Issue
Rabbitude enthusiasts reported that on May 16, they gained access to the Rabbit codebase, where they discovered “several critical hard-coded API keys.” Access to these keys allows anyone to read any response the R1 device has ever given, including those containing users’ personal information. This data can also be used to block devices, change their responses, and alter their voice.
The API keys discovered by enthusiasts provide access to the ElevenLabs text-to-speech service, the Azure speech-to-text engine, the Yelp review search service, and the Google Maps mapping service. One Rabbitude contributor mentioned that the company has been aware of the problem since May and has “done nothing to fix it.” After the problem was made public, enthusiasts say, Rabbit revoked the ElevenLabs API key, which prevented R1 devices from working properly for some time.
Rabbit’s Response
Rabbit told Engadget that it only learned about the “suspected data breach” on June 25. “Our security department immediately began an investigation. At this time, we are not aware of any breach of customer data or any compromise of our systems. If we become aware of any other relevant information, we will update as soon as we have more details,” the company added. The manufacturer did not report a recall of the API keys discovered by Rabbitude.
Overview of Rabbit R1
Rabbit R1 is an AI-based assistant device designed to help users with tasks such as ordering food, searching for information on the Internet, or requesting a weather forecast. After going on sale for $199, the gadget received low ratings in reviews because the functions promised by the manufacturer often did not work. Many reviewers noted that the device’s features mostly fit into one Android application, making the gadget unnecessary for smartphone users, adds NIX Solutions.
We’ll keep you updated as more information becomes available regarding the Rabbit R1 security issue and the company’s actions to address it.