Developers have been able to gain access to the API keys and full database of responses from Rabbit R1 devices. This allowed them to view and change all answers, crash the back-end and change votes.
:strip_exif()/i/2006797842.jpeg?f=imagemedium)
The developers, united under the banner of Rabbitude, claim that they have access included the API keys for ElevenLabs for text-to-speech, Yelp and Google Maps. This allowed them to view all answers from R1s, including personal information. It was also possible to change text and crash the entire back-end.
Rabbitude said it informed the Rabbit company of the leak a month ago. The company ignored the developers and then changed the API keys. As a result, all R1s temporarily did not work on Wednesday, Rabbit reports. The API key of the mail service SendGrid still works, Rabbitude reports.
The leak was possible because the API keys are hardcoded in the software of all R1s, but the researchers do not reveal any details about how they accessed them. . The fact that Rabbit has changed the API keys indicates that hackers could still find them in the software.
Rabbit announced the R1 in January and released it this spring. The device is intended for use as an AI assistant and mainly works with voice commands. It can additionally perform actions on behalf of users in third-party services.