Premium
This is an archive article published on June 27, 2024

Rabbit R1 security flaw exposed sensitive user data to third parties: Report

A group of security researchers and developers called 'Rabbitude' has apparently gained access to Rabbit's API keys, allowing them to see every response the R1 has ever provided.

google-preferred-btn
Rabbit R1 | Rabbit R1 security flaw | Rabbit R1 hackRabbit R1 is a pocket-sized handheld device with AI powered features. (Image Source: Rabbit)

Rabbit R1, the handheld device designed to serve as your AI-powered personal assistant seems to have a serious security flaw that allows third parties to access information like everything you have ever asked the device and much more.

A group of researchers and developers who call themselves ‘Rabbitude’ claim that they discovered hardcoded API keys in the company’s codebase, which allowed them to access Rabbit’s accounts with third-party services like text-to-speech provider ElevenLabs. As it turns out, the security researchers were also able to access Rabbit Engineering’s SendGrid account, which it uses to send emails from the rabbit.tech domain.

Rabbitude says that they could use these API keys to get access to every response the Rabbit R1 has given, brick all R1s, alter responses and even replace the voice on all devices. The ElevenLabs API can also be reportedly used to delete voices and crash the rabbitOS backend, rendering all R1 devices unusable.

Also Read | Sonodyne launches Antara, its first portable speaker with ‘sonic signature’ sound

The group also claims that Rabbit has been aware of the breach for over a month now, but the company did not do anything to secure the information and patch the security vulnerabilities. Apart from ElevenLabs, these keys were for Microsoft Azure, Yelp and Google Maps, which the Rabbit R1 uses for text-to-speech, restaurant recommendations and navigation.

According to a recent report by 404Media, the Rabbitude team confirmed their access to Rabbit’s system by sending them an email from the internal admin email address used by the Rabbit team and R1 devices.

A few days ago, Rabbit confirmed that they were investigating the issue and that the API keys had been rotated. The company also said it did not find “any compromise of our critical systems or of the safety of customer data” and will “provide updates as they become available.”

Launched earlier this year, a majority of reviewers have called the  Rabbit R1 a disappointment citing latency, hallucinations and bad battery life. While the company has been rolling out updates to improve the device, the R1 still underperforms and

 

© IE Online Media Services Pvt Ltd
Latest Comment
Post Comment
Read Comments
Advertisement
Top Stories
modi and trump
Amid trade talks, PM speaks to Trump, says will work together for global peace, prosperity
Dilip Kumar Saira Banu
Dilip Kumar's sisters created 'hostile environment' for wife Saira; 'orchestrated' his second marriage to drive her away
Couple cooks meal on highway
‘Civic sense is a rare luxury in India’: Couple cooks meal on highway; viral video sparks fierce debate on road safety
Quinton de Kock vs India
Quinton de Kock dismantles Indian bowling combination with silent savagery
Imran’s fall, Munir’s rise and the dangers of a dysfunctional Pakistan
Imran Khan’s fall, Asim Munir’s rise -- and the dangers for India from a dysfunctional Pakistan
Live Blog
Loading Taboola...
Advertisement