Along with the new ability to completely delete local user data, the software update also addresses another surprising R1 behavior. Before the update, the stored pairing data that allows the R1 hardware to add things to the Rabbithole journal was also allowed to read the journal. This means that a stolen and hacked R1 could have delivered users’ saved requests, photos, and more.
With the update, R1 pairing data can no longer read the journal and is no longer logged on the device, and Rabbit has reduced the amount of log data stored on the device. The company states that “there is no indication that the pairing data was abused to recover journal data belonging to a previous owner of the device.”
Rabbit’s security bulletin paints the problem as a relatively inconsequential risk with the example being that a stolen, unlocked R1 could reveal to a bad actor the last weather record requested by the original owner. Security researchers discovered last month that a device jailbreak could also distribute hard-coded API keys. The company promises to improve security practices and “prevent similar issues in the future,” saying it is conducting a thorough review of device enrollment practices to ensure they are in line with its standards “established in other areas.”