AI gadget Rabbit R1 saved correspondence with users without the ability to delete it

The electronic assistant with artificial intelligence Rabbit R1 saved correspondence with users on the device without the ability to delete it, the gadget manufacturer admitted. The bug was fixed with the release of a software update that added a new Factory Reset feature in Settings to erase all data from the device. Previously, you could unlink your account from the device, but the user data was not deleted.

Image source: rabbit.tech

Along with the new ability to completely delete all user data, the software update eliminated another dubious feature of the Rabbit R1: external devices previously connected to the gadget with permission to add data to the Rabbithole log could also read it. That is, a stolen or hacked Rabbit R1 exposed all requests, photos and other user data to a potential attacker.

With the update, devices lost access to reading the log, and the volume of the log stored on the device was reduced. According to the company, “there is no evidence that the connection data was used to read Rabbithole log data belonging to the former owner.” The risk of such abuse at Rabbit was assessed as negligible.

In June, hard-coded API keys for accessing third-party services were discovered in the device code. They gave a potential attacker access to any answer that the device gave to the user. Rabbit said the employee who made the mistake was identified, fired, and is now being investigated. The company has vowed to improve its security practices to prevent similar errors from happening in the future, with a detailed review of device log practices underway to ensure they meet standards “set in other areas.”