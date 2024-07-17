Rabbit R1 hacked using old vulnerability: avoid second-hand devices

July 2024 by CyberNews

Cybernews researchers have gained root access to the Rabbit R1 AI personal assistant by exploiting a vulnerability from five years ago. Our research team discovered that the orange box is vulnerable to a public exploit dubbed Kamakiri. This exploit has been disclosed since January 2019 and affects several MediaTek systems on chip (SoCs).

The exploit allows an attacker with physical access to the device to obtain the highest privileges, access and edit storage contents, and modify the device’s firmware.

“Such a vulnerability allows a third party with physical access to modify the device firmware to add malicious code. That includes not only applications but malicious code could also be injected into the kernel or system processes,” researchers said.

Kamakiri is a widely used exploit to hack and modify Android devices. It allowed researchers to dump Rabbit R1’s original firmware, modify it, disable Android Verified Boot, install and run the altered firmware.

Tinkerers use such exploits to gain root privileges, change settings, install custom OSes, and add features or apps. For example, a jailbroken Rabbit R1 could be overclocked, run the TikTok app, NES emulator, or any other code. However, malicious actors can also find many uses.

“The vulnerability effectively bypasses owner protections and allows thieves to erase, factory reset and resell the device, negating the ‘Mark as lost’ functionality. Buying the device secondhand comes with great risk, as users won’t be able to check if the device has been tampered with and what software is running on it,” researchers warn.

Rabbit response

Rabbit said they’re investigating ways to address this potential risk with their manufacturing partner and have hired additional security resources to focus on hardware security to prevent situations like this in the future.

“While we embrace the spirit of innovation, we must caution against tampering with or jailbreaking R1. Doing so disconnects the user from the secure rabbit ecosystem, and regrettably, we won’t be able to offer the support they might need if any issues emerge,” the company warned in a comment to Cybernews.

“Our roadmap with R1 is continuously evolving, and although there are no specific updates to share at this moment, we will continue to evaluate the best way to engage with third-party developers.”