Rabbit R1 After Updates Review: Security Woes For $200?

reviews
Written By Shannon Morse

Not gonna lie it’s been so long since I’ve jailbroken or hacked a device, I’m super excited to install Android on this thing.

What's up S'mores, I'm Shannon Morse! Welcome to my YouTube Channel! Today, we're diving into a gadget that's got me sitting here going wtf more than it's helping me out. Yep, we're talking about the Rabbit R1, an AI-powered assistant that's supposed to be the future of tech but is more like a gaslighting pager... I truly was hoping all of the negative press about this thing was just entirely blown out of proportion but now I know why they never responded to my requests to review it! They probably saw “girl with a history of hacking stuff” and thought NOPE, HARD PASS. So I bought one. Let's jump in!

Introduction

First off, the Rabbit R1 is priced at $199 and comes in a loud, neon orange color that really stands out. In the box, you'll find the R1 itself, a USB-C charging cable, and a quick start guide. It was released earlier this year with a lot of hype, but immediately saw tons of bad feedback because it basically runs on Android and didn’t even work very well. So does it still suck, a few months after original release? That’s what I wanted to find out.

Design

Alright, let's talk design. The Rabbit R1 is a 3-inch square gadget that kinda looks like a tamagotchi. It's got a plastic body that's surprisingly robust but picks up fingerprints because it is made out of this shiny material. On the right side, there's a push-to-talk button, and on the front, a scroll wheel and a 2.8-inch touchscreen. It's small and fits easily in your pocket, but the screen isn't super bright, so I wouldn’t recommend trying to use it in direct sunlight.

I am so proud of the work I put into this video. Even though it’s like 10 minutes long, these videos generally take like 8 hours to create from brainstorming and research and writing, all the way to post production work, so if you enjoyed it as much as I enjoyed creating it, a simple click of the subscribe button really goes a long way.

Display and Interface

The display is where things start to go south. The touchscreen is only partially functional—you can type on it, but that's about it. Most of your interactions will be through the scroll wheel and the side button, which sounds fine in theory but is super clunky in practice. Like there were many times that I found myself in the settings or on a menu and I’d try to click an option on the screen, and it wouldn’t register - I’d have to use the scroll and button. The interface is basic, with an animated rabbit bouncing around, which is very cute, but it's not very intuitive. Like to get into your settings, you have to shake it. If you want to use the terminal, you have to turn it on it’s side, which I kinda figured out on accident. You CAN control your device by talking to it, though, and it responds quickly.

Before we get to the features and why you might wanna jailbreak this thing - You should also consider securing your accounts online.

I love using today’s products to better secure my online lifestyle. One of the ways I do so is with a YubiKey - this thing looks like a USB flashdrive, but it’s used specifically to add a second layer of authentication to your accounts. Instead of typing in a 6 digit code after my password, which can be bypassed or stolen, I can plug this in on supported sites and quickly log in.

Yubico just introduced Firmware version 5.7, and with that are a whole slew of upgrades to the YubiKeys that we absolutely love for securing our accounts. The new firmware gives businesses a bunch of security updates, like the ability to block common PINS at the hardware level, enforcing usage of YubiKeys to track assets better, and increased security around hardware PINs like minimum length rules.

For consumers, now we get increased storage. Firmware 5.7 allows for up to 100 passkeys and 64 OATH one time passcode seeds - Yubico listened to your concerns and they increased the capacity! This is a big deal as more companies move to support passkeys and hardware keys, as it means that Yubico is future proofing their products.

The new Yubico Authenticator App update brings us official support for French and Japanese, an Android edition which supports FIDO functions, like managing PINs, Passkeys, and Fingerprints now on mobile. Plus, they’re updating the interface for a better user experience.

Personally, I’ve used YubiKeys for several years to protect my online accounts. It’s so much more secure and convenient for me to set up a couple of hardware keys to unlock my accounts quickly - especially now that I can manage all my 6 digit codes in their Authenticator app and secure that with a hardware key too.

My video playlist on my youtube channel goes over every common question you may have about YubiKeys, but if you’re ready to take the next step in securing your online identity, go to https://yubi.co/shannon-2024 to get $5 off a new firmware 5.7 YubiKey. That’s https://yubi.co/shannon-2024 for $5! Thank you so much to Yubico for sponsoring my channel!

Features and Performance

Unfortunately, the big selling point is its AI capabilities, but I was a bit underwhelmed in some parts, while satisfied for others. I’ll give you some examples.

  • For Voice Search: I asked it for the weather in Denver and it was correct, then I started asking it for details about Lindsey Sterling’s concerts - which were highly relevant at the time, because I was going to see her at Red Rocks hours after recording this B-roll - she was great by the way, highly recommend. Beautiful concert. So it did an intelligent job of having a conversational communication with me, but it got some of the data wrong. Like it told me her upcoming concert was in the wrong place.

  • Vision and Camera: Pointing the camera at objects is supposed to give you info, but it misidentifies things or it doesn’t give you all the details. For example, I was pointing this thing at all sorts of popular character figures that I have sitting around in my studio, and it would give me generic info about those, but it wouldn’t tell me the actual names of these characters until I showed it batman. In this case, Circle to Search on my phone works loads better.

  • But then I showed it some crystals and it got those specimens mostly correct. So for pop culture: no. But for identifying natural items like crystals or plants, yes.

  • Music, Uber, DoorDash, etc.: Integrations are third party and require you to log in to your accounts, but the third party options are severely limited. There is no Lyft, there is no Youtube Music. I don’t use Spotify or Apple Music, so when I asked it to play some music for me, it wouldn’t even just do a search and pull it up on whatever player it found first. They really need to add some more integrations to make the platform useful. Also if you do wanna connect your third party apps, you have to type your password into the login page on rabbithole - you can’t autofill it from a password manager or copy/ paste it into the field. At least I couldn’t, and I tried several times because… my passwords are randomly generated. Ain’t no way I’m gonna sit there and type each one in.

  • Terminal: I thought it was really cool that you can access the terminal. You do have to enable this in the settings to access it, but then when you turn this on the side, it’ll open the terminal and you can use the on screen keyboard to type in options and commands. But for some reason, I’d do something really silly simple like ping 8.8.8.8 and it came back with “Terminal Mode has been disabled”. And no matter how many times I went back into my settings and enabled it, it just automatically turned it off. So why even give me the option? Frustrating.

  • Text To Speech: I did find text to speech note taking to be solid. I can record a note, then access that note in my web dashboard for my account and you can download those notes. And I thought the audio was pretty standard, it was clear enough that if I was using this specifically to record, say, in a classroom or an interview, then it should be fine. Now, if I needed something for a youtube video, it’s not clear enough for that. I’d need a professional mic setup for that.

  • Your Hole.Rabbit dashboard: This is where you can access a history of your interactions with the Rabbit R1 and you can download photos and speech recordings. I like that I can access my queries, and I appreciate that it even uses AI to give me a summary of my voice note. Downloads are quick and painless, and you can delete any you don’t want to keep a copy of.

Battery Life

Battery life was low. Especially if you use it to identify things with the camera. Like I went from 95% - 70% in about half an hour. If you leave it to sleep for 24 hours, it’ll drop from 70-20% even when it’s not in use. So I think the battery needs to be better.

Security

In a recent update, Rabbit provided an overview of the impact of a security breach where an employee leaked confidential internal code to a hacktivist group. This breach included several API keys, which led to the unauthorized sending of defamatory emails but did not expose any customer data. Rabbit has since rotated the compromised keys and migrated secrets to AWS Secrets Manager for better security.

The leaked keys included access to services like ElevenLabs for text-to-speech and SendGrid for email. While the ElevenLabs key allowed the download of anonymized data and potential disruption of voice services, it couldn't identify individual users or requests. The SendGrid key could send emails and potentially disrupt the spreadsheet feature, but it didn't expose historical email data or the actual spreadsheet contents.

Rabbit acknowledged feedback about their 180-day Vulnerability Disclosure Program (VDP) and reduced it to 90 days. They also hired a third-party security firm to audit their codebase to ensure all secrets are properly secured, with results expected by the end of August. Rabbit emphasized their commitment to transparency and security as they continue to investigate and address the breach.

Then in July, the rabbit team posted a blog about resolving another risk to data if you lose or sell your R1, or if it gets lost. Tech to speech and device pairing data is stored directly on the R1 device, and a new owner could potentially jailbreak the device to find those log files. Rabbit responded and made a few changes. First, pairing data can’t be used to read from Rabbithole - only trigger actions. Pairing data is no longer logged on device. They reduced the amount of data that gets stored on device, and now there is a factory reset option right in the settings menu, which I was able to confirm.

Should You Buy It?

In short, my personal opinion on this one is no. The Rabbit R1 feels like an unfinished product that's not ready for prime time. It feels a little gimmicky and has potential, but it’s limited in so many ways. Save your $199 and wait for something better. Maybe an R2 with better battery and a useful touchscreen?

Have you tried the Rabbit R1? Let me know in the comments below. Don't forget to like, subscribe, and hit that bell icon for more reviews. Shoutout to my Patreon supporters—you guys are the best! Bye yall!

Shannon Morse

Shannon Morse is an online video producer and host. She has reviewed hundreds of consumer tech products and produces easily understandable tutorials about security and privacy.

Shannon currently hosts Morse Code, Sailor Snubs, and Shannon Travels The World. Her tech channel is a leading source for practical and logical security and privacy information in today’s digital age.

https://www.shannonrmorse.com/
Previous

AT&T Data Breach?! What You Need to Know & How to Stay Safe
Next

Unboxing Samsung Galaxy Z Fold6, Flip6, and Watch 7! New Colors!