Rabbit R1 security issue allegedly leaves sensitive user data accessible to anybody

But Rabbit said no customer data was leaked.

Photo by Devindra Hardawar/Engadget

The team behind Rabbitude, the community-formed reverse engineering project for the Rabbit R1, has revealed finding a security issue with the company's code that leaves users' sensitive information accessible to everyone. In an update posted on the Rabbitude website, the team said it gained access to the Rabbit codebase on May 16 and found "several critical hardcoded API keys." Those keys allow anybody to read every single response the R1 AI device has ever given, including those containing the users' personal information. They could also be used to brick R1 devices, alter R1's responses and replace the device's voice.

The API keys they found authenticate users' access to ElevenLabs' text-to-speech service, Azure's speech-to-text system, Yelp (for review lookups) and Google Maps (for location lookups) on the R1 AI device. In a tweet, one of Rabbitude's members said that the company has known about the issue for the past month and "did nothing to fix it." After they posted, they said Rabbit revoked Elevenlabs' API key, though the update broke R1 devices for a bit.

In a statement sent to Engadget, Rabbit said it was only made aware of an "alleged data breach" on June 25. "Our security team immediately began investigating it," the company continued. "As of right now, we are not aware of any customer data being leaked or any compromise to our systems. If we learn of any other relevant information, we will provide an update once we have more details." It didn't say if it revoked the keys the Rabbitude team said it found in the company's code.

Rabbit's R1 is a standalone AI assistant device designed by Teenage Engineering. It's meant to help users accomplish certain tasks, like placing food delivery orders, as well as to quickly look up information like the weather. We gave it a pretty low score in our review, because we found that its AI functionality often didn't work. Further, users can simply use their phone instead of having to spend an extra $199 to buy the device.