rabbit

Factory reset update for r1


On 10 July 2024, we became aware of and immediately resolved a potential risk involving lost, stolen, or second-hand r1 devices before Factory Reset capabilities were provided.

At launch, r1 devices logged text-to-speech replies and device-pairing data directly to the r1 device storage. If a customer sold their device after using it, or if a device was lost or stolen, the new owner could potentially jailbreak the device and gain access to those log files.

Example:

As of 11 July, we’ve made the following changes:

As of the publishing of this post, we have no indication that pairing data has been abused to retrieve rabbithole journal data belonging to a former device owner. However, we believe that our customers deserve transparency in matters related to their data, and as such, are highlighting it as a potential risk that existed in our systems through the dates listed.

In light of this potential risk, and to prevent similar issues in the future, our team is performing a full review of device logging practices to ensure that they align with the standards we’ve set in other areas. Additional technical controls will be designed and implemented based on that review. The trust our customers place in us is our most valuable resource, and we intend to do everything in our power to maintain that trust.