Home > Tech

Rabbit R1 has a major security flaw in its code

It just went from bad to worse for the AI gadget.
By Cecily Mauran  on 
Share on Facebook Share on Twitter Share on Flipboard
woman's hands holding up the Rabbit R1 gadget
So, the Rabbit R1 isn't very good and doesn't protect your privacy? Credit: Mashable

"All [Rabbit] R1 responses ever given can be downloaded," according to an R1 research group called Rabbitude.

Rabbit and its R1 AI device has already been dunked on for being nothing more than an Android app wrapped up in a hardware gadget, but something much more alarming is afoot.

SEE ALSO: I tested Rabbit R1 vs. Meta AI: The winning AI assistant will surprise you

The report (via The Verge) said Rabbitude gained access to the codebase and discovered API keys were hardwired into its code. That means anyone with these keys could "read every response every r1 has ever given, including ones containing personal information, brick all r1s, alter the responses of all r1s [and] replace every r1’s voice." The investigation discovered that these API keys are what provided access to ElevenLabs and Azure for text-to-speech generation, Yelp for reviews, and Google Maps for location data.

Mashable Light Speed
Want more out-of-this world tech, space and science stories?
Sign up for Mashable's weekly Light Speed newsletter.
By signing up you agree to our Terms of Use and Privacy Policy.
Thanks for signing up!

What's worse, Rabbitude said it identified the security flaw on May 16 and that Rabbit was aware of the issue. But "the API keys continue to be valid as of writing," on June 25. Continued access to the API keys means bad actors could potentially access sensitive data, crash the entire rabbitOS system, and add custom text.

The following day (June 26) Rabbit issued a statement on its Discord server saying that the four API keys Rabbitude identified have been revoked. "As of right now, we are not aware of any customer data being leaked or any compromise to our systems," said the company.

But the plot thickens. Rabbitude also found a fifth API key that was hardwired in the code, but not publicly disclosed in its investigation. This one is called sendgrid, which provides access to all emails to the r1.rabbit.tech subdomain. At the time Rabbitude published its follow-up report, the sendgrid API key was still active. Access to this API key meant Rabbitude could access additional user information within the R1's spreadsheet functions and even send emails from rabbit.tech email addresses.

If you were already skeptical of the R1's half-baked capabilities that Mashable Tech Editor Kimberly Gedeon blamed on "rushed innovation, disillusionment, and impetuousness" in her review, this might be your sign that Rabbit is at best, not worth the money, and at worst, incapable of keeping your data private.

Topics Artificial Intelligence Privacy

Mashable Image
Cecily Mauran

Cecily is a tech reporter at Mashable who covers AI, Apple, and emerging tech trends. Before getting her master's degree at Columbia Journalism School, she spent several years working with startups and social impact businesses for Unreasonable Group and B Lab. Before that, she co-founded a startup consulting business for emerging entrepreneurial hubs in South America, Europe, and Asia. You can find her on Twitter at @cecily_mauran.

Recommended For You
The 5 best laptops under $500 that are actually worth buying
By Dylan Haas , Timothy Beck Werth , and Callum Bains
Lenovo Gaming Chromebook 16 sitting on a table with an Xbox controller
Here's how Google thinks AI should be regulated
By Cecily Mauran
A view of Google Headquarters in Mountain View, California
The 5 most overrated tech products of 2024 (so far)
By Kimberly Gedeon
Rabbit R1 and Humane Ai Pin in split-screen configuration
WhatsApp is working on a personalized AI image generator
By Meera Navlakha
A graphic of phone screens with the WhatsApp logo in the middle.
Windows 11 Notepad gets spellcheck, autocorrect 41 years later
By Alex Perry
Microsoft Windows 11 laptop with notepad on keyboard
Trending on Mashable
NYT Connections today: See hints and answers for July 11
By Mashable Team
A phone displaying the New York Times game 'Connections.'
'Wordle' today: Here's the answer hints for July 11
By Mashable Team
a phone displaying Wordle
'House of the Dragon' Season 2, episode 4: Pay attention to the dogs at Harrenhal
By Shannon Connellan
Matt Smith in "House of the Dragon."
Webb telescope may have just revealed an alien world with air
By Elisha Sauers
A super-Earth orbiting a red dwarf star
'The Acolyte' keeps referencing 'The Last Jedi' — here's why
By Chris Taylor
The Stranger on the unknown planet.
The biggest stories of the day delivered to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
Thanks for signing up. See you at your inbox!