Rabbit logo

AI device Rabbit r1 logged user interactions without an option to erase them before selling

Rabbit, the manufacturer of the Artificial Intelligence (AI) assistant r1 has issued a security advisory telling users it’s found a potential security risk. If a user loses or sells their device, a person in possession of the r1 could potentially jailbreak the device and gain access to files that contain logging information, chats, and photos.

To tackle the potential problem with sensitive data being left behind on the r1, Rabbit has taken the following measures:

  • A factory reset option is now available in the settings menu that lets you erase all data from the r1 prior to transferring ownership.
  • Pairing data is no longer logged to the device.
  • The amount of log data that gets stored on the device has been reduced.
  • Pairing data can no longer be used to read from the user’s Rabbithole journal section. It can only trigger actions.

Rabbit also says it is performing a full review of device logging practices to check whether additional technical controls are needed.

If you have an r1, you don’t need to do anything as the fix will be downloaded and installed automatically. While most updates to the r1 do not require any action of the user, updates that require you to accept them, including new features and more supported apps, will happen via over-the-air updates. For these, follow the prompt on your r1, make sure you’re connected to WiFi and a power source, and wait for it to update.

For those not familiar with the concept, the Rabbit r1 is an AI-powered gadget that can manage the use of your apps for you. It’s a standalone gadget with a 2.88-inch touchscreen, a rotating camera for taking photos and videos, and a scroll wheel/button designed to navigate the menu or allow you to talk to the built-in AI.

The Rabbithole mentioned earlier is an all-in-one web portal to manage the relationship with rabbit OS, and the device that you pair the r1 to. The Rabbit r1 uses a Large Action Model (LAM) to translate the user’s voice into actions on the device it’s paired with, whether that’s a handheld device, like a phone, or a desktop computer.

It’s still pretty much a project under development. Right now, the Rabbit r1 can answer questions, call an Uber, order DoorDash, play music on Spotify, translate speech, generate images on Midjourney, identify nearby objects with its camera and record voice memos. Nothing your phone can’t do, but Rabbit promises more options on the horizon and claims that all these actions are easier to accomplish when you’re using the r1.

The journal section of the Rabbithole web portal shows any visual searches you’ve conducted using the r1’s camera and voice memos you’ve recorded.

Rabbit says there’s no indication that pairing data has been abused to retrieve Rabbithole journal data belonging to a former device owner. Yet the possibility exists, and it’s good that users now have the ability to erase all data before selling the device. However, this doesn’t solve the issue if the r1 is stolen or lost.


We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

ABOUT THE AUTHOR

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.