Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

Rabbit R1 jailbreakers uncover huge security flaws, including some that let internal data be viewed by literally anyone

Rabbit r1.

The Rabbit R1 has been found to contain multiple security vulnerabilities which not only could have allowed threat actors to read other people’s sensitive information, but also allowed them to send emails from the rabbit.tech subdomain.

Rabbitude, a community that formed around the unique AI assistant device, with the goal of reverse engineering the device, recently published two separate articles, outlining how in mid-May 2024, researchers gained access to the Rabbit codebase, where they found “several critical hardcoded API keys” in the code. 

These keys allow anyone to read every response every R1 has ever given, including ones containing personal information, brick all r1 devices, alter the responses of all devices, replace every R1’s voice, and more.

Revoking APIs

The hardcoded APIs were for ElevenLabs (for text-to-speech), Azure (for an old text-to-speech system), Yelp (for review lookups) and Google Maps (for location lookups).

Soon after being made aware of the mishap, the team behind Rabbit R1 revoked the four keys and said that there is no evidence of customer data being leaked, or company systems being compromised. One of the keys was revoked improperly, leading to a temporary outage in text-to-speech services. 

However, Rabbitude said it deliberately omitted finding a fifth hardcoded API, which allegedly “provides access to a complete history of emails sent on the r1.rabbit.tech subdomain.” This subdomain, the researchers claim, is primarily used for the R1’s spreadsheet-editing functions, which means it includes user information, too.

“It also allows us to send emails from rabbit.tech email addresses,” the researchers proclaimed. 

In a statement sent to Engadget, Rabbit said it was only made aware of an "alleged data breach" on June 25. 

"Our security team immediately began investigating it," the company continued. "As of right now, we are not aware of any customer data being leaked or any compromise to our systems. If we learn of any other relevant information, we will provide an update once we have more details." 

More from TechRadar Pro

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.