A team of researchers sends an email from the administrator account evidencing the security flaws of the Rabbit r1
According to what they say from the portal 404media.co a group known as "rabbitude» has been able to send an email from the official email account of the administrators of Rabbit Inc. disclosing a very serious security breach.
This group of hackers is dedicated from the output of the device to the jailbreak from r1. According to their own website, they comment on the following:
«Rabbitude is the overall reverse engineering project for the r1. We rolled back, hacked, and experimented with r1 and reported our findings publicly. Rabbitude is built by the community along with some core members. Overall, it improves the experience of the r1.”
Its goal is to unravel the Rabbit r1 to its depths so that users can modify the operating system, use base applications that are not allowed and collaborate with other researchers by developing shared editorial resources.
Rabbit r1 security and API Keys
According to the research, Rabbit may have exposed some critical API keys encoded and exposed in your code. This security flaw would have allowed viewing and downloading «all r1 answers ever given«
Among these failures, users of Rabbitude could have sent emails from Rabbit's own domains. This would imply a security flaw in the Rabbit r1 never seen before. We will see proof of this later.
It seems that one of the main problems was the Eleven Labs API key, the text and voice artificial intelligence that the Rabbit r1 uses for its device and that seems to have been compromised a few days ago by this group.
However, on June 26, 2024 Rabbitude launched an article explaining the situation in more detail.
As they have argued, on May 16, 2024, the Rabbitude team gained access to the Rabbit codebase and found several encrypted API keys criticisms in your code.
These keys would allow anyone to read all the answers each r1 has given, including those that contain personal information, block all r1, alter the responses of the devices in even replace the gadget time.
The violated APIs are the following:
- ElevenLabs (for text to speech conversion)
- Azure (for an older voice-to-text system)
- Yelp (for review searches)
- Google Maps (for location searches)
It seems that the key that granted the most permissions was that of Eleven Labs, which among other things allowed you to get a history of all previous text-to-speech messages, add custom text replacements or remove voices thus rendering all r1 devices unusable.
How do you see the possession of this capacity by individuals from outside the company? generated a highly serious security flaw in the Rabbit r1 and with possible totally undesirable consequences.
Rabbit's response to this event
According to what they say on their website, Rabbitude confirms that from Rabbit Inc. They are aware of the situation and the leak of API keys, but according to them they have decided to ignore it. API keys are still valid as of June 26, 2024.
The group of researchers believes that it is important that Consumers be aware of Rabbit security flaws, as they can have devastating consequences for r1 users.
On Rabbit's part it seems that there is a statement in which they deny what Rabbitude said and they claim that:
“Today we learned of an alleged data leak. Our security team began investigating her immediately. Until now, We are not aware of any breach of customer data or any compromise of our systems.. If we learn of any other relevant information, we will provide an update once we have more details.”
So at this moment we are not sure who to believe.
Emails sent from Rabbit accounts
Rabbit's solution to security flaws
After all, it seems that Rabbit has set out to try to fix the problems with the compromised API keys, but according to some X.com users They have ended up breaking some systems after trying to solve it.
Let's hope that everything becomes clear soon and they manage to cover up the errors, now that a vulnerability this important could destroy the entire project.