Rabbit R1 potential security issue could expose user data

0
25

[ad_1]

The news surrounding the Rabbit R1 has not been the best since its launch. From reports of poor functionality to the many features still pending, the AI-powered assistant has fallen short of expectations. Now, it appears that a security issue in the Rabbit R1 code could lead to a potential data breach.

If you’re even a little familiar with the Rabbit R1, the name “Rabbitude” may be familiar to you. Rabbitude is a community project to reverse engineer the device and its software. The team publishes its findings from time to time, and the most recent one is a bit worrying. According to the Rabbitude team, the Rabbit R1 code includes some APIs that offer access to all the responses given by the device.

Some APIs of the Rabbit R1 code would “facilitate” a potential data breach

Being a personal assistant, the device’s responses often include the user’s personal information. So, the Rabbitude team’s discovery suggests that these APIs could allow a user data breach after a potential attack. Additionally, these APIs enable access to key options to control the device. According to the report, they can be used to alter the device’s responses or change its voice. They would even allow bricking the R1.

The Rabbitude team refers to them as “critical hardcoded API keys.” They were primarily developed for text-to-speech (and vice versa) functions powered by ElevenLabs and Azure. Also for access to Yelp reviews and Google Maps for location-related requirements. They claim that the Rabbit R1 team was aware of the problem, but did nothing to resolve it.

No user data has been exposed, Rabbit R1 team claims

Meanwhile, the Rabbit R1 team claims to be unaware of any user data breach. However, they are investigating a related situation that occurred on June 25. The company says they will offer updates on this as they find more information.

After the Rabbitude team’s post, the company revoked the ElevenLabs keys. This affected the functionality of the Rabbit R1 devices for a time. However, they did not reveal whether they also revoked the other API keys reported by Rabbitude.

[ad_2]

Source link