The staff behind Rabbitude, the community-formed reverse engineering mission for the Rabbit R1, has revealed discovering a safety problem with the corporate’s code that leaves customers’ delicate data accessible to everybody. In an replace posted on the Rabbitude web site, the staff mentioned it gained entry to the Rabbit codebase on Might 16 and located “a number of vital hardcoded API keys.” These keys enable anyone to learn each single response the R1 AI system has ever given, together with these containing the customers’ private data. They is also used to brick R1 units, alter R1’s responses and substitute the system’s voice.
The API keys they discovered authenticate customers’ entry to ElevenLabs’ text-to-speech service, Azure’s speech-to-text system, Yelp (for assessment lookups) and Google Maps (for location lookups) on the R1 AI system. In a tweet, one in every of Rabbitude’s members said that the corporate has recognized concerning the problem for the previous month and “did nothing to repair it.” After they posted, they mentioned Rabbit revoked Elevenlabs’ API key, although the replace broke R1 units for a bit.
In an announcement despatched to Engadget, Rabbit mentioned it was solely made conscious of an “alleged information breach” on June 25. “Our safety staff instantly started investigating it,” the corporate continued. “As of proper now, we aren’t conscious of any buyer information being leaked or any compromise to our programs. If we be taught of every other related data, we are going to present an replace as soon as we’ve extra particulars.” It did not say if it revoked the keys the Rabbitude staff mentioned it discovered within the firm’s code.
Rabbit’s R1 is a standalone AI assistant system designed by Teenage Engineering. It is meant to assist customers accomplish sure duties, like inserting meals supply orders, in addition to to shortly search for data just like the climate. We gave it a reasonably low rating in our review, as a result of we discovered that its AI performance typically did not work. Additional, customers can merely use their telephone as an alternative of getting to spend an additional $199 to purchase the system.