In addition to the modern ability to completely delete local user data, the software update also addresses another curious behavior of the R1. Before the update, the stored pairing data that allows the R1 hardware to add things to the Rabbithole journal also had permission to read the journal. This means that a stolen and hacked R1 could potentially pass on saved user requests, photos, and more.
With the update, R1 pairing data can no longer read the log and is no longer logged to the device, and Rabbit has reduced the amount of log data stored on the device. The company says there is “no indication that pairing data was misused to retrieve Rabbithole log data belonging to the former device owner.”
Rabbit’s security bulletin portrays the problem as a relatively minor risk, citing the example that a stolen and hacked R1 could expose to a bad actor the last weather log requested by the original owner. Last month, security researchers said API keys discovered hard-coded into the company’s code base. Since this report was published, Rabbit claims to have located the leak to the employee, writing that “The employee has been terminated and is still under investigation.”
The company promises to improve its security practices and “prevent similar issues from occurring in the future,” saying it is conducting a full review of its device enrollment practices to ensure they are in line with standards “set in other areas.”
July 12th patch: An earlier version of this article stated that API keys were exposed as a result of jailbreaking; however, an update published on July 5, Rabbit claims this information was leaked from an employee.
