The group behind Rabbitude, the community-formed reverse engineering venture for the Rabbit R1, has revealed discovering a safety challenge with the corporate’s code that leaves customers’ delicate data accessible to everybody. In an replace posted on the Rabbitude web site, the group mentioned it gained entry to the Rabbit codebase on Could 16 and located “a number of important hardcoded API keys.” These keys enable anyone to learn each single response the R1 AI gadget has ever given, together with these containing the customers’ private data. They may be used to brick R1 units, alter R1’s responses and substitute the gadget’s voice.
The API keys they discovered authenticate customers’ entry to ElevenLabs’ text-to-speech service, Azure’s speech-to-text system, Yelp (for evaluate lookups) and Google Maps (for location lookups) on the R1 AI gadget. In a tweet, one in every of Rabbitude’s members mentioned that the corporate has recognized in regards to the challenge for the previous month and “did nothing to repair it.” After they posted, they mentioned Rabbit revoked Elevenlabs’ API key, although the replace broke R1 units for a bit.
In a press release despatched to Engadget, Rabbit mentioned it was solely made conscious of an “alleged knowledge breach” on June 25. “Our safety group instantly started investigating it,” the corporate continued. “As of proper now, we aren’t conscious of any buyer knowledge being leaked or any compromise to our programs. If we study of some other related data, we are going to present an replace as soon as we’ve extra particulars.” It did not say if it revoked the keys the Rabbitude group mentioned it discovered within the firm’s code.
Rabbit’s R1 is a standalone AI assistant gadget designed by Teenage Engineering. It is meant to assist customers accomplish sure duties, like inserting meals supply orders, in addition to to shortly search for data just like the climate. We gave it a fairly low rating in our evaluate, as a result of we discovered that its AI performance typically did not work. Additional, customers can merely use their telephone as an alternative of getting to spend an additional $199 to purchase the gadget.