Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security

Rabbit R1 AI Device Exposed by API Key Leak (404media.co) 15

Security researchers claim to have discovered exposed API keys in the code of Rabbit's R1 AI device, potentially allowing access to all user responses and company services. The group, known as Rabbitude, says they could send emails from internal Rabbit addresses to demonstrate the vulnerability. 404 Media adds: In a statement, Rabbit said, "Today we were made aware of an alleged data breach. Our security team immediately began investigating it. As of right now, we are not aware of any customer data being leaked or any compromise to our systems. If we learn of any other relevant information, we will provide an update once we have more details."
This discussion has been archived. No new comments can be posted.

Rabbit R1 AI Device Exposed by API Key Leak

Comments Filter:
  • What else is new?

    • What else is new?

      They revoked the keys so now they're bricked https://pivot-to-ai.com/2024/0... [pivot-to-ai.com]

      • by Xenx ( 2211586 )
        For information accuracy, the devices were down briefly but not bricked. From what I can see from posts online, they were back up within 1-2hrs.
        • I wonder how one can recover from something like that. If the mechanism a device uses for pulling firmware isn't compromised [1], having it use a different API key, or perhaps even generate its own API key, send it up to be certified, then the cert downloaded, might be more secure. Having a solid, fail-safe firmware fetching mechanism for a device that is designed to be always connected can mitigate API key leaks.

          [1]: Of course, the signing key needs to be in a HSM, otherwise, if the key is compromised a

          • by gweihir ( 88907 )

            You are assuming they do this securely. That is probably not a valid assumption.

            The problem here is that the API key is a secret key. Updates get verified with a public key (signature verification). Hence you need a second secret key that can be used to protect a new API key in transit (encryption). The update verification key cannot do that.

        • For information accuracy, the devices were down briefly but not bricked. From what I can see from posts online, they were back up within 1-2hrs.

          I lifted that link from the wikipedia article https://en.wikipedia.org/wiki/... [wikipedia.org] as I had no Idea what it was. If there is new information notably neither the source article nor wikipedia has been updated.

          • by Xenx ( 2211586 )
            This wasn't a knock at you, just to be clear. I just wanted the update info out there. I don't want to defend Rabbit, though my negative opinion of them is more tempered than others, but people tend to focus on their side of things. People that don't like the device are less likely to quickly go back and update things, if at all. The person in the article clearly doesn't like the device. Same seems at least likely with Wikipedia.
    • by Ed_1024 ( 744566 )

      This must affect, well, the 10 people who bought the thing...

  • I thought API keys were a solved problem. If I had special devices which used a private API, as opposed to just a generic RESTful API for read only stuff, or API keys connected with the current user account of the device, I'd either be storing the device keys in some type of secure storage, be it something like a TPM, or like the example with my Raspberry Pi, ZymKeys. Even that, someone who knows how to decap a chip might be able to tease out the API key, so maybe this is something that needs to be done b

  • In social media, you were the product they sold. In AI, not only are you the product, you also make their product for them.

  • we are not aware of any customer data being leaked

    Thank goodness. That could have impacted tens of people.

  • by Fly Swatter ( 30498 ) on Wednesday June 26, 2024 @03:51PM (#64580585) Homepage
    With a silly product, BUT searching for who they are I also saw that there is "The Rabbit Company" [therabbitcompany.com] (perhaps NSFW) which looks to have a much more promising business model.

The unfacts, did we have them, are too imprecisely few to warrant our certitude.

Working...