The team behind Rabbitude, the community-formed reverse engineering project for Rabbit R1he has revealed find a security issue in the company’s code that leaves users’ confidential information accessible to everyone. In an update posted to the Rabbitude website, the team said it gained access to the Rabbit codebase on May 16 and found “several critical hard-coded API keys.” These keys allow anyone to read every response the R1 AI device has ever given, including those that contain users’ personal information. They could also be used to lock R1 devices, change R1 responses, and replace the device’s voice.
The API keys found authenticate users’ access to ElevenLabs’ text-to-speech service, Azure’s speech-to-text system, Yelp (for review searches), and Google Maps (for location searches) on the R1 AI device. In a tweet, one of Rabbitude’s members he said that the company knew about the problem last month and “did nothing to fix it.” After they posted it, they said Rabbit revoked Elevenlabs API Key, although the update broke R1 devices a bit.
In a statement sent to Engadget, Rabbit said it only became aware of an “alleged data breach” on June 25. “Our security team immediately began investigating it,” the company continued. “At this time, we are not aware of any leaks of customer data or any compromise of our systems. If we become aware of any other relevant information, we will provide an update as soon as we have more details.” It was not known whether it revoked the keys that the Rabbitude team said they found in the company’s code.
Rabbit’s R1 is an autonomous AI assistant device designed by Teenage Engineering. The goal is to help users perform certain tasks, such as ordering food delivery, as well as quickly checking information such as the weather. We gave it a pretty low score on our analysis, because we found that its AI functionality often didn’t work. Additionally, users can simply use the phone instead of spending an extra $199 to purchase the device.
