AI gadget Rabbit R1: Bumpy start in Germany due to security problems
The hyped AI machine Rabbit R1 is now also being delivered to Germany. However, this is being hampered by security problems.
The Rabbit R1 AI device is only available in bright fluorescent orange.
(Image: rabbit inc.)
- Ronald Eikenberg
The AI gadget Rabbit R1 is now also hopping around Germany: the first units were recently delivered to German customers by a shipping company in Euskirchen. Our editorial copy, which we pre-ordered directly after the CES presentation in January, has now also arrived in Hanover.
However, the German launch has been overshadowed by reports of a serious security problem: the hardware hackers from Rabbitude claim to have succeeded in accessing the manufacturer's secret API keys. This made it possible to access sensitive user data.
The R1 is designed as an AI everyday companion: At the touch of a button, the device answers any questions you ask it by voice or text input, similar to ChatGPT & Co. It is also equipped with a camera that can analyze photos taken using AI. The device runs Android with a special app and uses cloud services via APIs for some of the AI functions.
Voice responses can be read and manipulated
And this is also where the current security problem lies: one of the affected API keys is said to match the text-to-speech service ElevenLabs, which the R1 uses to present its AI-generated answers. According to the hardware hackers, this key could be used to access all the answers that the Rabbit R1 has ever given to a user.
In addition, it was possible to manipulate the voice responses at will and to brick all devices, i.e. to put them in a non-functional state.
Mail service also affected
But that's not all, Rabbitude apparently also had access to the API key for the Twilio SendGrid mail service, which the manufacturer uses to send emails. Rabbitude users can use the AI gadget to photograph handwritten tables, for example, and convert them into Excel files.
The result is sent by email - via SendGrid. Accordingly, it should have been possible to access the Excel files sent in this way. The researchers were also able to rummage through other email communication from the manufacturer and send emails in its name.
Rabbitude published the findings on its website on Tuesday and Wednesday. The manufacturer responded with a statement in which it explained that it had immediately replaced the affected API keys. According to its assessment to date, critical systems have not been compromised and the security of customer data has not been jeopardized. Rabbitude claims to have discovered the API keys as early as mid-May. The manufacturer also knew about it in advance, but did not react appropriately. These statements cannot be independently verified.
Initial tests were sobering
The Rabbit R1 costs a one-off fee of 200 euros; the manufacturer does not charge a subscription fee. After the promising product launch in January, the hype died down a few months later after the first devices were delivered.
Customers and journalists criticized the unfinished impression and the short battery life. Some things did not run as smoothly as they had been shown in advance. The manufacturer wants to make improvements with software updates.
(rei)
