The Rabbit R1 has been logging users’ chats — with no way to wipe them
There wasn’t a Factory Reset option, previously. | Photo: David Pierce / The Verge
Since the launch of the Rabbit R1, the AI assistant device has been storing users’ chat logs on-device with no way to erase them, according to a company security bulletin. Rabbit is now addressing the issue with a software update that includes a new Factory Reset option in settings to wipe the device. Previously, you could only unlink your account from an R1, which did not erase all user data.
Along with the new ability to fully delete local user data, the software update also addresses another eyebrow-raising behavior of the R1. Prior to the update, stored pairing data that lets the R1 hardware add things to the Rabbithole journal also had permission to read the journal as well. That means a stolen and hacked R1 could potentially have handed over users’ saved requests, photos, and more.
With the update, R1’s pairing data can no longer read the journal and is no longer logged to the device, and Rabbit has reduced the amount of log data stored on the device. The company says there’s “no indication that pairing data has been abused to retrieve rabbithole journal data belonging to a former device owner.”
Rabbit’s security bulletin paints the issue as a relatively inconsequential risk with its example that a stolen and jailbroken R1 could reveal to a bad actor the last weather log asked by the original owner. Security researchers last month found that a jailbreak of the device could also hand out hardcoded API keys. The company promises to improve security practices and “prevent similar issues in the future,” saying it’s performing a full review of device logging practices to ensure it aligns with its standards “set in other areas.”
There wasn’t a Factory Reset option, previously. | Photo: David Pierce / The Verge
Since the launch of the Rabbit R1, the AI assistant device has been storing users’ chat logs on-device with no way to erase them, according to a company security bulletin. Rabbit is now addressing the issue with a software update that includes a new Factory Reset option in settings to wipe the device. Previously, you could only unlink your account from an R1, which did not erase all user data.
Along with the new ability to fully delete local user data, the software update also addresses another eyebrow-raising behavior of the R1. Prior to the update, stored pairing data that lets the R1 hardware add things to the Rabbithole journal also had permission to read the journal as well. That means a stolen and hacked R1 could potentially have handed over users’ saved requests, photos, and more.
With the update, R1’s pairing data can no longer read the journal and is no longer logged to the device, and Rabbit has reduced the amount of log data stored on the device. The company says there’s “no indication that pairing data has been abused to retrieve rabbithole journal data belonging to a former device owner.”
Rabbit’s security bulletin paints the issue as a relatively inconsequential risk with its example that a stolen and jailbroken R1 could reveal to a bad actor the last weather log asked by the original owner. Security researchers last month found that a jailbreak of the device could also hand out hardcoded API keys. The company promises to improve security practices and “prevent similar issues in the future,” saying it’s performing a full review of device logging practices to ensure it aligns with its standards “set in other areas.”