Rabbit r1's AI Assistant Stored User Chats Without Deletion Option

Since its debut in April 2024, Rabbit's r1 has aimed to offer a phone-less way for users to manage tasks through artificial intelligence (AI). However, Rabbit has now revealed a significant issue: the r1 has been logging user chats on the device without any way to delete them. This means that if an r1 was lost, stolen, or sold, the chat logs could potentially be visible to others. Users were not informed that their conversations with the device were being logged.

Security Advisory and Immediate Actions

In a security advisory, Rabbit explained that on July 10, they "became aware of and immediately resolved a potential risk involving lost, stolen, or second-hand r1 devices." The startup also discovered that stored pairing data on the device, which is used for actions like writing to rabbitjournal or triggering commands such as "order an Uber" or "play music," could read data from the rabbitjournal. This vulnerability meant that someone else could potentially access log files with saved requests, photos, and more.

Steps Taken by Rabbit

In response to these issues, Rabbit has implemented several measures:

• Factory Reset Option: A new factory reset option is now available in the settings menu, allowing users to erase all data from the r1.

• Data Storage Reduction: The device now stores less data.

• Restricted Data Reading: It's no longer possible to read pairing data from rabbithole; it can only trigger actions.

Rabbit stated that they have no indication that pairing data has been misused to retrieve rabbithole journal data belonging to a former device owner. The startup is sharing this vulnerability to be transparent and is conducting a full review of its device logging practices.

Software Update and User Instructions

If you own an r1, no action is required on your part. A software update addressing these issues will download and install automatically.