Since it debuted in April of this year, Rabbit has been hoping to make its r1 device a phone-less way to let artificial intelligence (AI) handle tasks for you throughout the day.
Now Rabbit has revealed that r1 has been logging user chats on the device with no way to erase them. That approach meant that if you lost your r1, it got stolen, or you sold it, your chat logs could have potentially been visible to someone else. Users hadn’t been made aware that any conversations with the device were logged.
Also: I tested the AI gadget that got the internet buzzing and it left me wanting more
In a security advisory explaining the issue, the company said that on July 10, “we became aware of and immediately resolved a potential risk involving lost, stolen, or second-hand r1 devices.”
Rabbit also revealed that stored pairing data on the device, which is used to write data to rabbitjournal and trigger actions like “order an Uber” or “play music”, could also read data from the rabbitjournal. This issue meant an r1 in the wrong hands could be used to see log files with saved requests, photos, and more.
Rabbit has done several things in response. First, a factory reset option is now available in the settings menu. This feature lets users erase all data from the r1. Second, the amount of data stored on the device is now less. Finally, pairing data can no longer read from rabbithole, it can only trigger actions.
Also: Rabbit R1 unboxing: My first impressions of the $199 AI gadget
The company said it had “no indication that pairing data has been abused to retrieve rabbithole journal data belonging to a former device owner,” and was releasing this vulnerability in the name of transparency and performing “a full review of device logging practices.”
If you have an r1, you don’t need to do anything. A software update fixing these issues will download and install automatically.