UPDATE (June 28, 2024): The company reached out to clear things up regarding this issue and provide us with more data. Rabbit emphasizes that this is an active investigation at the moment, so that not all details are available. However, the company says that its security team rotated the keys to specific APIs, which caused a brief downtime on device. That does include the SendGrid API, by the way.
In addition to that, Rabbit says that it was made aware of the potential issue on June 25, and “acted immediately to begin investigating and correcting the issue”. The company also says that it has a Security page which will be updated as more info becomes available, click here if you’d like to access it.
ORIGINAL ARTICLE: The news surrounding the Rabbit R1 has not been the best since its launch. From reports of poor functionality to the many features still pending, the AI-powered assistant has fallen short of expectations. Now, it appears that a security issue in the Rabbit R1 code could lead to a potential data breach.
If you’re even a little familiar with the Rabbit R1, the name “Rabbitude” may be familiar to you. Rabbitude is a community project to reverse engineer the device and its software. The team publishes its findings from time to time, and the most recent one is a bit worrying. According to the Rabbitude team, the Rabbit R1 code includes some APIs that offer access to all the responses given by the device.
Some APIs of the Rabbit R1 code would “facilitate” a potential data breach
Being a personal assistant, the device’s responses often include the user’s personal information. So, the Rabbitude team’s discovery suggests that these APIs could allow a user data breach after a potential attack. Additionally, these APIs enable access to key options to control the device. According to the report, they can be used to alter the device’s responses or change its voice. They would even allow bricking the R1.
The Rabbitude team refers to them as “critical hardcoded API keys.” They were primarily developed for text-to-speech (and vice versa) functions powered by ElevenLabs and Azure. Also for access to Yelp reviews and Google Maps for location-related requirements. They claim that the Rabbit R1 team was aware of the problem, but did nothing to resolve it.
No user data has been exposed, Rabbit R1 team claims
Meanwhile, the Rabbit R1 team claims to be unaware of any user data breach. However, they are investigating a related situation that occurred on June 25. The company says they will offer updates on this as they find more information.
After the Rabbitude team’s post, the company revoked the ElevenLabs keys. This affected the functionality of the Rabbit R1 devices for a time. However, they did not reveal whether they also revoked the other API keys reported by Rabbitude.