Rabbit R1 Records User Chats Without an Option to Delete: What You Need to Know

Since the launch of the Rabbit R1, the AI assistant device has been storing users’ chat logs on-device without an option for deletion, as highlighted in a recent security bulletin. Rabbit is now addressing this concern with a software update that introduces a Factory Reset option in the settings to completely wipe the device. Previously, users could only unlink their accounts, which did not erase all user data.

In addition to enabling full deletion of local user data, the update resolves another significant issue: prior to the update, the stored pairing data allowed the R1 to add entries to the Rabbithole journal but also granted access to read the journal. This raised concerns that a stolen or hacked R1 could potentially access users’ saved requests, photos, and other sensitive information.

With the software update, the R1’s pairing data can no longer read the journal and is not logged to the device. Furthermore, Rabbit has minimized the amount of log data retained. The company has stated that there is "no indication" that pairing data has been exploited to access the Rabbithole journal content of former device owners.

Rabbit's security bulletin regards the situation as a relatively minor risk, using the example that a stolen and jailbroken R1 could potentially disclose the last weather request made by the original owner. Recently, security researchers revealed that API keys were hardcoded in the company’s codebase. In response to this, Rabbit has traced the leak to an employee, who has since been terminated and remains under investigation. The company has committed to enhancing security protocols to prevent similar issues in the future and is conducting a comprehensive review of its device logging practices to ensure they meet its established standards.