The external company Obscurity Labs does a series of tests on the Rabbit r1 to try to assess its security... And it seems to have passed.
Not long ago we talked on the blog about the security problems that the Rabbit r1 had and how it worried us users—me included—to the point that to this day I still don't have any service connected.
It's more. Until yesterday and the news I am here to share, I was still convinced not to link any account until it was strictly necessary, since my level of distrust had only increased.
All of them seem to have changed in a short time. They have finally gotten to work and from Rabbit Inc. they have ordered a specific cybersecurity expert—Obscurity Labs—to run a series of tests on their device that will dispel any doubts.
The company in charge: Obscurity Labs
Obscurity Labs is a company specializing in innovative software solutions and engineering services, with a strong emphasis on development, cybersecurity and data science. Founded in 2018, the company works in both the public and private sectors, offering customized solutions for a wide range of engineering needs..
Among other things, they specialize in Software development, such as creating tailored software solutions to improve operational efficiency and foster business growth.
In addition to data management and analysis, they are, as it could not be otherwise, specialists in cyber security performing penetration tests and developing security strategies to protect their clients' digital assets.
The origin of the Rabbit r1 security problem
As I mentioned, a few weeks ago a website appeared —rabbitu.de— which claimed to have had access to several key security points, even compromising the sending of emails from the official Rabbit account.
From the company website creator of gadget of IA assure that the problem arose from an employee - fired as of these lines. Allegedly this now ex-employee leaked Rabbit's to a group "hacktivist".
After that, They decided to revoke all keys related to this leak and try to resolve any problems that may have arisen from that leak. According to their own criteria everything seemed resolved, but they were not sure.
It was at that moment that Rabbit Inc. decided to give the task to an external company—Obscurity Labs—of review and test security of the Rabbit r1.
The Rabbit R1 Penetration Test
As they say on their own website, Obscurity Labs performed a penetration test against Rabbit Inc. services and the R1 device, which covered information on various findings, attack routes and security measures implemented.
The first thing we find on the website of the analysis carried out by Obscurity Labs is the following message:
And a second notice about it:
The first is the important one. They make it clear that the security tests have been carried out by them and are absolutely independent, without intervention from Rabbit Inc. This generates much more confidence Coming from a company like this.
According to what they say on their own website, the testing process consisted of 4 parts:
Act 0
The Rabbit R1 seeks to navigate the web intelligently, like a real person—which remains to be seen, but that one. that's another topic—instead of using pre-established programs. This makes user authentication is a special challenge and uncommon in general areas.
When starting Rabbit R1, connects to a machine called "Minion" via VNC (Virtual Network Computing). In short, it is a system to enter your credentials to be able to use your device.
The VNC connection is unusual and could be vulnerable. However, as appears from the evidence, Rabbit Inc. has divided its services to minimize risks. The Minion only contains the code necessary to function, remaining isolated from the rest of the network.
The Obscurity Labs team tested an attack and only found basic scripts without access to sensitive information. Rabbit Inc. uses a secure system to store session tokens, protecting data without directly saving your passwords.
Furthermore, they claim that they attempted to access sensitive data using advanced access, but security layers prevented it. Additionally, they were unable to access other users' sessions due to system isolation.
Test passed…
Act 1:
In this phase, they increased the difficulty of the attack. After escaping the isolated browser created by Playwright, they gained access to the shell of the Minion, which allows arbitrary code to be executed. However, this access reveals that the Minion is just an unprivileged pod, isolated from other workloads.
The team thoroughly investigated the pod, reviewing security configurations, possible vulnerabilities, and service account tokens. Although some access was obtained, the overall security of the system could not be compromised nor could it advance laterally within the Rabbit Inc. infrastructure.
Although this attack seems more serious than the previous one, it is harmless since the Minion is well isolated and has no significant privileges. Rabbit Inc. system security remains robust, protecting the confidentiality, integrity and availability of its services.
Act 2:
One of the main goals was to get the RabbitOS Android Package (APK) from the R1 device to run on alternative platforms like Android Studio. This would allow the source code to be analyzed and possible vulnerabilities detected. and communications manipulations.
In the blog they say that the team managed to access the Android Debug Bridge (ADB) in the initial batch of units, which was enabled. Although this feature was disabled with later updates, they were able to extract and run the APK locally during testing.
They reviewed the disassembled code for sensitive information. The only significant finding was a read-only API key for Google Maps, which although it should be loaded dynamically, does not pose a real security risk.
The team analyzed and manipulated the API logic that connects Rabbit R1 to its services. Although they detail that they were able to communicate with the server sockets secure web from the command line, They only managed to send and receive legitimate commands, without gaining additional access or control.
This level of device access is interesting, but the risk is low. Provides no more control over communications than using a proxy. Although it may offer convenience by reducing the number of devices needed, its novelty will likely diminish as the specific capabilities of the Rabbit R1 hardware increase.
Act 3:
In this phase, the company used the information obtained about the Minions to investigate possible vulnerabilities in Rabbit Inc.'s servers. that use Playwright. For Minion to work properly and allow cookie recovery, you must keep the Chrome debugger port open.
Although they did not access the LAM (Large Action Model) code in the Playwright leaks, they identified a possible avenue of attack. He THE M requests stored cookies from the secure secrets provider before interacting with services that require authentication. These cookies are loaded in the LAM virtual browser.
They initially believed they could manipulate these cookies to alter the behavior of the LAM. However, Cookies only affect the virtual browser and not the LAM directly, which could only cause confusion or block specific services.
When reviewing the LAM source code, found that attack opportunities were limited and did not provide significant benefits. Tampering with cookies could cause minor problems, but it did not pose a serious threat.
They finally determined that this attack method, although interesting, does not allow hacking directly into Rabbit Inc. It could affect services used by Rabbit Inc., such as Uber Eats, but would require an exploit specific to that service.
The probability of success is very low and the direct risk to Rabbit Inc. is minimal. However, the risk could be higher for individual service providers, depending on their level of security.
Is the Rabbit r1 safe?
Well, according to what has been seen in this audit, it seems that there are no such problems as those that became apparent a few weeks ago after the rabbitude crisis. What do you think?