Rabbit releases a statement explaining the steps to follow if you are going to sell or buy the second-hand Rabbit r1
Security flaws continue to haunt the Rabbit r1, and after the announcement of Rabbitude in which They talked about the danger of linking accounts The team has discovered a new problem that has put us on alert.
This issue is about the possibility that your device has been stolen, lost, or even are you going to buy or sell the second-hand Rabbit r1. We have to know how to act so that third-party accounts cannot be accessed.
The official Rabbit announcement:
As you can see, they remind us of the need —especially if you are going to sell your second-hand Rabbit r1— to restore factory settings. It is something that seems obvious, but until the time of publication it had yet to be implemented.
Fortunately they refer us to a blog on the website itself. Rabbit.tech in which they give us a series of instructions to factory reset the Rabbit r1.
Instructions to factory reset the Rabbit r1
According to the security entry of July 11, 2024, they explain the following situation to us. To begin with, until then there was no option to factory reset the Rabbit r1, which was at least something necessary from the beginning.
On the other hand, the danger that a person who was not the original owner would buy the Rabbit r1 second-hand. They also talk about loss or theft of gadget, and they all These scenarios would lead to a critical security breach.
In any of these cases, the new owner could end up doing jailbreak or unlock the device giving you access to the original user's private accounts, with all that this entails. What a danger…
An example of how it worked until now:
- I received my r1 and started using it on June 1st.
- The pairing data was recorded on my device.
- This pairing data is used to write data to my Rabbithole journal and trigger actions like “play music” or “order food.”
- This pairing data could be used to read data from my Rabbithole journal.
- I asked my r1: “How is the weather in San Francisco?”
- The response, “It's 74 degrees and sunny in San Francisco,” registered on my device.
- I sold my r1 to someone else on June 3rd.
- This person could potentially jailbreak the r1 and recover the log files containing “It's 74 degrees and sunny in San Francisco” and the pairing data.
As of July 11, we have made the following changes:
- Pairing data can no longer be used to read from Rabbithole. They can only activate actions.
- Pairing data is no longer recorded on the device.
- We have reduced the amount of log data that is stored on the device.
- The Factory Reset option is now available through the settings menu. Customers should use this option to delete ALL data from their R1 before transferring ownership.
Rabbit's containment measures on this case
As mentioned in the entry, The security team is not aware of any users abusing this issue.. According to what they say, regardless of this, they have thought it convenient for us users to know.
Furthermore, as the entry shows, A review of the thousands of interactions is being done to locate cases of misuse of this vulnerability, although at the moment there is no more news than those already mentioned.
So remember. If it has been stolen, you are going to sell the Rabbit r1 second-hand, you have lost it or it has been stolen, make sure to do a factory reset to avoid bigger problems.