Security Flaws in IKKO Activebuds

IKKO Activebuds run Android with ADB enabled, allowing easy system access.

The earbuds’ ChatGPT feature uses a built-in OpenAI API key stored on the device, which was extracted.

User chats are logged to an endpoint that only requires the device IMEI, exposing anyone’s chat history.

The companion app binding code can be generated for any IMEI, enabling device binding or revealing user names.

After disclosure, IKKO rotated the API key and added request signing, but some vulnerabilities remain.

Get notified when new stories are published for "General AI News"

No Sign-In needed. One-Click Subscribe.

•

General AI News•July 2, 2025 at 03:23 PM

IKKO Activebuds run Android with ADB enabled, allowing easy system access.

The earbuds’ ChatGPT feature uses a built-in OpenAI API key stored on the device, which was extracted.

User chats are logged to an endpoint that only requires the device IMEI, exposing anyone’s chat history.

The companion app binding code can be generated for any IMEI, enabling device binding or revealing user names.

After disclosure, IKKO rotated the API key and added request signing, but some vulnerabilities remain.

Get notified when new stories are published for "General AI News"

No Sign-In needed. One-Click Subscribe.