The AI gadget Rabbit R1 was launched in Germany in June. At the same time, attention was focused on security problems with the device, in particular the publication of secret API keys. These enabled access to sensitive user data.
Advertisement
According to their own statements, hardware hackers managed to access the secret API keys of the Rabbithead manufacturer, which, among other things, corresponded to the text-to-speech service Eleven Labs. The keys were directly in the source code.
The secret key allowed access to all answers of the Rabbit R1. Furthermore, the answers could potentially be manipulated and the devices could be rendered unusable (bricked).
New fellowship program launched to support open source projects
The Rabbit R1 didn’t have a good start in terms of features and security.
(Image: Rabbit)
Rabbit sells the device as an AI everyday companion that answers any questions asked by voice or text input, similar to ChatGPT and other AI assistants. It can also use AI to analyze photos taken with the integrated camera.
Leaking from within rather than access from outside
The rabbit has An official statement about the security issues has now been published. Accordingly, the API keys were not accessed from outside, but rather an employee gave the keys to the outside world. The employee has since been fired. It was not a vulnerability in the security system and Rabbit is in touch with the authorities to initiate further investigation.
Risks are underestimated or ignored
However, the fact that the company does not describe an insider attack as a security vulnerability is at least bold. Insider attacks are a common threat, and the Open Web Application Security Project (OWASP) has released a 2023 “hit list” of insider threats. “OWASP Top 10 Insider Threats” published,
Read this also
Also, API keys are fast Protocol of internal investigation The leak can be found in the source code. Rabbit has thus violated an important security requirement: secret keys should never be hard-coded in the source code. At least, according to Rabbit, the API keys had to be moved to AWS Secrets Manager because of the leak.
External pen test
Rabbit had likely already commissioned an external pen test from Obscurity Labs before the leak, which is said to have revealed no major anomalies. Obscurity Labs blog post with late July updates This reads extremely mildly, and Rabbit takes it as proof that the multi-layered security approach works. However, Rabbit’s current article on the security problems does not mention the original vulnerability found in mid-July.
If you read the international tests before April, it will still take some time before the Rabbit R1 is suitable for everyday use. Data security is also worth optimizing: As not analyzed in issue 17/2024, Rabbit users must have a high degree of trust in the provider, as access data for important accounts can be read in plain text.
(RME)
The network behind Stack Overflow no longer sends data to the Internet Archive
