A critical security vulnerability has been discovered in the Rabbit R1 virtual assistant. According to reports, the company Rabbit has stored several important API keys directly in the source code of the device, potentially making user data accessible to hackers.
The vulnerability was discovered by a group of community researchers called Rabbitude. They claim to have gained access to the source code of the R1 and found critical keys there. Among other things, these keys make it possible to read all previous R1 responses, including personal information, and to manipulate the responses and voices of all R1 devices.
API keys for various services are affected, including ElevenLabs (text-to-speech), Azure, Google Maps, Yelp and the email provider SendGrid. Access to the ElevenLabs text-to-speech tool is particularly critical, as it allows the history of all text-to-speech messages to be viewed and manipulated.
According to Rabbitude, Rabbit was informed about the vulnerability back in May, but did not take any action initially. The company explains that it learned of the problem on June 25 and responded immediately. The affected API keys were rotated, which led to a brief downtime of the devices.
Rabbit emphasizes that, as far as is known, no customer data has been compromised. The company is still investigating the incident.
Experts criticize that API keys should never be embedded directly in the source code, as they contain sensitive information and allow access to important services.
This incident is one of a series of problems that have arisen since the Rabbit R1 was launched at the end of April, including a lack of basic functions and the fact that the device’s entire user interface is based on a single Android app.