There wasn’t a Factory Reset option, previously. | Photo: David Pierce / The Verge
Since the launch of the Rabbit R1, the AI assistant device has been storing users’ chat logs on-device with no way to erase them, according to a company security bulletin. Rabbit is now addressing the issue with a software update that includes a new Factory Reset option in settings to wipe the device. Previously, you could only unlink your account from an R1, which did not erase all user data.
Along with the new ability to fully delete local user data, the software update also addresses another eyebrow-raising behavior of the R1. Prior to the update, stored pairing data that lets the R1 hardware add things to the Rabbithole journal also had permission to read the journal as well. That means a stolen and hacked R1 could potentially have handed over users’ saved requests, photos, and more.
With the update, R1’s pairing data can no longer read the journal and is no longer logged to the device, and Rabbit has reduced the amount of log data stored on the device. The company says there’s “no indication that pairing data has been abused to retrieve rabbithole journal data belonging to a former device owner.”
Rabbit’s security bulletin paints the issue as a relatively inconsequential risk with its example that a stolen and jailbroken R1 could reveal to a bad actor the last weather log asked by the original owner. Last month security researchers said they discovered API keys hardcoded in the company’s codebase. Since that report came out, Rabbit says it has traced the leak to an employee, writing that “The employee has been terminated and remains under investigation.”
The company promises to improve security practices and “prevent similar issues in the future,” saying it’s performing a full review of device logging practices to ensure it aligns with its standards “set in other areas.”
Correction, July 12th: An earlier version of this article said the API keys were leaked by jailbreaking; however, in an update published on July 5th, Rabbit said they were leaked by an employee.