Rabbit R1 security issue allegedly leaves sensitive user data accessible to anybody

The team behind Rabbitude, the community-formed reverse engineering project for the Rabbit R1, has revealed finding a security issue with the company's code that leaves users' sensitive information accessible to everyone. In an update posted on the Rabbitude website, the team said it gained access to the Rabbit codebase on May 16 and found "several critical hardcoded API keys." Those keys allow anybody to read every single response the R1 AI device has ever given, including those containing the users' personal information. They could also be used to brick R1 devices, alter R1's responses and replace the device's voice.  The API keys they found authenticate users' access to ElevenLabs' text-to-speech service, Azure's speech-to-text system, Yelp (for review lookups) and Google Maps (for location lookups) on the R1 AI device. In a tweet, one of Rabbitude's members said that the company has known about the issue for the past month and "did nothing to fix it." After they posted, they said Rabbit revoked Elevenlabs' API key, though the update broke R1 devices for a bit.  In a statement sent to Engadget, Rabbit said it was only made aware of an "alleged data breach" on June 25. "Our security team immediately began investigating it," the company continued. "As of right now, we are not aware of any customer data being leaked or any compromise to our systems. If we learn of any other relevant information, we will provide an update once we have more details." It didn't say if it revoked the keys the Rabbitude team said it found in the company's code.  Rabbit's R1 is a standalone AI assistant device designed by Teenage Engineering. It's meant to help users accomplish certain tasks, like placing food delivery orders, as well as to quickly look up information like the weather. We gave it a pretty low score in our review, because we found that its AI functionality often didn't work. Further, users can simply use their phone instead of having to spend an extra $199 to buy the device.This article originally appeared on Engadget at https://www.engadget.com/rabbit-r1-security-issue-allegedly-leaves-sensitive-user-data-accessible-to-anybody-120024215.html?src=rss

Jun 26, 2024 - 18:30
 0
Rabbit R1 security issue allegedly leaves sensitive user data accessible to anybody

The team behind Rabbitude, the community-formed reverse engineering project for the Rabbit R1, has revealed finding a security issue with the company's code that leaves users' sensitive information accessible to everyone. In an update posted on the Rabbitude website, the team said it gained access to the Rabbit codebase on May 16 and found "several critical hardcoded API keys." Those keys allow anybody to read every single response the R1 AI device has ever given, including those containing the users' personal information. They could also be used to brick R1 devices, alter R1's responses and replace the device's voice. 

The API keys they found authenticate users' access to ElevenLabs' text-to-speech service, Azure's speech-to-text system, Yelp (for review lookups) and Google Maps (for location lookups) on the R1 AI device. In a tweet, one of Rabbitude's members said that the company has known about the issue for the past month and "did nothing to fix it." After they posted, they said Rabbit revoked Elevenlabs' API key, though the update broke R1 devices for a bit. 

In a statement sent to Engadget, Rabbit said it was only made aware of an "alleged data breach" on June 25. "Our security team immediately began investigating it," the company continued. "As of right now, we are not aware of any customer data being leaked or any compromise to our systems. If we learn of any other relevant information, we will provide an update once we have more details." It didn't say if it revoked the keys the Rabbitude team said it found in the company's code. 

Rabbit's R1 is a standalone AI assistant device designed by Teenage Engineering. It's meant to help users accomplish certain tasks, like placing food delivery orders, as well as to quickly look up information like the weather. We gave it a pretty low score in our review, because we found that its AI functionality often didn't work. Further, users can simply use their phone instead of having to spend an extra $199 to buy the device.This article originally appeared on Engadget at https://www.engadget.com/rabbit-r1-security-issue-allegedly-leaves-sensitive-user-data-accessible-to-anybody-120024215.html?src=rss

What's Your Reaction?

like

dislike

love

funny

angry

sad

wow

Viral News Code whisperer by profession, narrative alchemist by passion. With 6 years of tech expertise under my belt, I bring a unique blend of logic and imagination to ViralNews360. Expect everything from tech explainers that melt your brain (but not your circuits) to heartwarming tales that tug at your heartstrings. Come on in, the virtual coffee's always brewing!