Rabbit R1 It has once again been caught in a whirlpool of public opinion. After the App was criticized for being an Android shell, its main large action model LAM relied on the OpenAI interface. Its API was also exposed to have security vulnerabilities and there was a risk of leaking user data.
Rabbit R1 was unveiled at this year's CES. It is positioned as a pocket AI device. This product has a 2.88-inch touch screen, a rotatable camera and an interactive scroll wheel, and is equipped with Rabbit's self-developed operating system.
The biggest highlight of this device is its built-in "Large Action Model (LAM)", which can be called a "universal application controller". It can integrate multiple functions such as playing music, shopping, and sending messages without using a mobile phone, and it can even be trained to learn to operate specific applications.
As a personal assistant for users, Rabbit R1 inevitably involves sensitive personal information of users. However, the latest research by the Rabbitude team shows that its API has security vulnerabilities, leading to the leakage of user data.
Rabbitude is a community project that reverse engineers devices and their software. The team publishes its findings from time to time, and the latest one is worrying.
These APIs can also control key options of the phone, and the report says that by modifying the API calls, it can be used to change the device's reactions or change its sounds.
The Rabbitude team described the vulnerability as a "critical hardcoded API key" that could access Yelp reviews and Google Maps for location-related needs.
The team claims that the Rabbit R1 team was aware of the issue but did nothing to address it.