Rabbit R1 came out in April, and since its official launch, the device has only drawn controversy and criticism for the exaggerated claims regarding the standalone functionality. The Rabbit R1 was also questioned for coming out as a dedicated device when it could just come out as an application. It is said that the gadget runs on the AOSP build for Android and fails to deliver its promise to provide command-to-action capability as it was released earlier than it should have. A new issue has emerged revolving around the R1 code system, potentially posing serious security threats.
A community of Rabbit R1 developers has pointed out some serious security vulnerabilities in the R1's code system
Rabbitude, Rabbit R1's developer community, claimed that they could access the rabbit codebase and stumbled upon hard-coded API keys. The keys pose a serious security threat for users, as anyone can potentially read every R1 response, alter the responses, and even replace the R1's voice with its access.
The user's requests were supposed to be sent securely, and the cloud-based processing system called the rabbit hole was not supposed to compromise customer data privacy and be embedded directly in the source code. The API keys can be used by any third party to gain access to sensitive and private information, and bad actors can exploit these security vulnerabilities.
The following service utilizes the API, signifying how some of the r1 responses could contain key data: Azure, Yelp, Google Maps, and others. Eleven Labs posed the most threat, as with its API key, the Rabbitude team could gain complete access to the message history, change the voices, make amendments, or even crash the rabbitOS entirely by simply deleting voices.
The researchers claimed that Rabbit had been fully aware of the issue since May and did not act on it despite having complete knowledge of the potential data breach. They blatantly denied Engadget of any current issue with the system and claimed to have just heard about the ongoing problem. The company said:
As of right now, we are not aware of any customer data being leaked or any compromise to our systems."
Even when Rabbit claimed that no harm had been done, it revoked four keys and even temporarily caused the system to collapse. The group of developers did not stop there to make users aware of the potential security exploitation with the R1. They informed 404Media of having access to the API for SendGrid, an email sub-domain, and informed the publication through Rabbit's official domain by posing as the admin to demonstrate the potential impact.
Rabbit R1 seems to have only drawn controversy, criticism, and vulnerability, making us question whether the gadget's functionality is worth the baggage it carries.
Follow Wccftech on Google to get more of our news coverage in your feeds.
