Along with the new ability to fully delete local user data, the software update also addresses another eyebrow-raising behavior of the R1. Prior to the update, stored pairing data that lets the R1 hardware add things to the Rabbithole journal also had permission to read the journal as well. That means a stolen and hacked R1 could potentially have handed over users’ saved requests, photos, and more.
With the update, R1’s pairing data can no longer read the journal and is no longer logged to the device, and Rabbit has reduced the amount of log data stored on the device. The company says there’s “no indication that pairing data has been abused to retrieve rabbithole journal data belonging to a former device owner.”
Rabbit’s security bulletin paints the issue as a relatively inconsequential risk with its example that a stolen and jailbroken R1 could reveal to a bad actor the last weather log asked by the original owner. Security researchers last month found that a jailbreak of the device could also hand out hardcoded API keys. The company promises to improve security practices and “prevent similar issues in the future,” saying it’s performing a full review of device logging practices to ensure it aligns with its standards “set in other areas.”