Hack IKKO "AI powered" earbuds to run DOOM, stole OpenAI API key, customer data
10 months ago
- #ChatGPT
- #Android
- #Security
- The earbuds run on Android and were purchased for 245 euros after being featured in a Mrwhosetheboss video and on TikTok.
- The device boots to a screen with ChatGPT prominently displayed, and includes other AI features like translations.
- The audio quality is poor with default EQ profiles but can be improved by manually adjusting the EQ curves.
- The device uses modified apps from the IKKO store, as it lacks Google Play Store, and includes apps like Spotify and Subway Surfers.
- ADB was left enabled, allowing for easy sideloading of apps and further investigation into the device's functionality.
- The ChatGPT integration communicates directly with OpenAI, and a ChatGPT API key was found on the device.
- The device logs chats to an endpoint, potentially exposing user data, and lacks proper authentication for some API endpoints.
- A security flaw allowed for the generation of QR codes to bind devices to apps, potentially exposing user chat histories and names.
- After reporting the issues, the company released updates to improve security, but some vulnerabilities remain.
- The device was eventually rooted, revealing further security issues, including an unauthenticated proxy API for ChatGPT.