Update 06/26/24 at 12:50 p.m. :
The hacker and developer collective Rabbitude secernate Gizmodo that Rabbit finally lift the original ElevenLabs API samara , allow for them access code to users ’ AI responses and the gimmick ’s voice model . However , there ’s a new wind . The group now claims it also had access to Rabbit ’s internal electronic messaging service .
In a Wednesdaypostto the group ’s site , Rabbitude articulate that the Rabbit R1 makers canceled all the antecedently give away API samara ; one was so poorly done it bricked users ’ gadget for a unretentive while until it could re - restore ElevenLabs . However , the group was n’t ready to take Rabbit off the hook and divvy up it had yet another API paint that was hardcoded into the Rabbit . This one was for Sendgrid , the email service used for the r1.rabbit.tech subdomain . The cyberpunk group says the domain houses spreadsheets containing sensitive exploiter information .
The Rabbit R1’s shell was designed by Teenage Engineering with a truly minimalist design. According to a group of hackers, the device’s security was similarly minimal.Photo: Dua Rashid / Gizmodo
One of the mathematical group ’s developer partake an email with Gizmodo that appear to be sent from the[email protected]address . The group say it sent a standardised email as a test more than a calendar month ago , but that went unnoticed by Rabbit ’s developer .
The group sent more emails from the[email protected]address to Jason Koebler at404 Media . That email was previously used to divvy up pressing proclamation details with journalist .
In an e-mail to Gizmodo , Rabbit pointed to asecurity web log postwhere it said :
Screenshot: Rabbitude / Gizmodo
“ We were notified that a third - political party may have had access to working API winder for multiple SaaS provider used by rabbit to provide services to our customers . found on this notice , the coney protection team rotate the key to those genus Apis , which do a abbreviated downtime on the devices . ”
We ’ll be face out to see if the developer have anything more to share about the get breach . Our point still stand up : if you were using a Rabbit R1 , you should put that on pause until hare share any concrete item about its inner security .
Original Story :
That $ 200 , blazing orange , minimalistAI doohickey visit the Rabbit R1promised it would become your go - to AI fellow traveler . Instead , it proved it was amalformed and half - baked machinethat could n’t oppose up to any of its elevated promises . Now , according to a group of white chapeau hackers , it ’s even bad than that . The squad calling themselvesRabbitudeclaims they ’ve had entree to all the Rabbit R1 ’s codebase API keys for over a calendar month , granting them a peep at all of Rabbit ’s reaction , include any raw information offered to the AI .
All this is to say , if you ’re still one of those small hares who still jump at the chance to use a Rabbit R1 , you should kibosh doing so immediately .
Rabbitude take it reach admittance to the coney codebase back on May 16 . The team also shared the API keys that allow the hare to connect to Google Maps and Yelp , which gives the AI models access to local brushup and directions . The team also says it has access to theElevenLabs keystone , which is the organisation coney uses for text - to - speech . That last one is particularly crucial to quotidian Rabbit operations since it lets the hackers get a account of all retiring text - to - talking to messages and even brick the machine by deleting the voices wholly .
After the cyberpunk grouping released its finding belated Tuesday , one of the members who live by Eva online say ElevenLabs temporarily revoked the ElevenLabs API winder , which also shut down all Rabbit devices for a sentence before it go back online . They said , “ Rabbit knew about it and did nothing to fix it . ”
rabbit has now revoked the elevenlabs api key breakage literally every r1 , cause they forget to update their key on the server .
— xyzeva ( @xyz3va)June 25 , 2024
Gizmodo contacted Rabbit early Wednesday morning for a remark , but we did not like a shot learn back . The party toldEngadgetthat it was aware of the alleged rift but was “ not mindful of any customer datum being leak or any compromise to our systems . ” Gizmodo also ask Rabbit if it has revoked any API keys , though we ’ll update this berth if we hear more .
The Rabbit R1 is already prone to failure since it relies so much on cloud services that are not directly controlled by the Rabbit squad . Last month , a ChatGPT outage temporarilymade the gimmick utterly useless . Gizmodo could not independently reassert whether the Rabbit went offline due to any meddling with the ElevenLabs API . We reach out to the hack squad for trial impression and remark , and we ’ll update this floor if we hear more .
Tech blogger Ed Zitron has alreadydetailedthe troupe ’s shift from working on a crypto metaverse undertaking to its AI machine . YouTuberCoffeeZillaalso ruin down some of the more bear on aspects of the gadget , including some “ serious data secrecy business organisation ” after looking at the Rabbit ’s codebase . He cite “ things malicious actors could use to get access to all the response the R1 has ever given . ”
On the Rabbitude Discord , the team claim they have been work with CoffeeZilla since they accessed that codebase over a month ago . The team further say , “ This is material . coney can dance around it all they care , but it is genuine , and this did materialize . They had a month to switch the keys , and they did n’t . That ’s on them . ”
GizmodoRabbit
Daily Newsletter
Get the good tech , science , and cultivation news in your inbox daily .
News from the future , delivered to your present .
You May Also Like
