Jul 03, 2025 21:00:00

Report: AI-enabled earphones were hacked to run DOOM and steal OpenAI API keys and chat history

It has been reported that a hacker obtained and hacked IKKO's

Activebuds , which are advertised as 'the world's first AI-enabled earphones,' and was able to steal OpenAI API keys and customer data.

Exploiting the IKKO Activebuds 'AI powered' earbuds, running DOOM, stealing their OpenAI API key and customer data.
https://blog.mgdproductions.com/ikko-activebuds/

Activebuds is a device that runs Android in an earphone case, and you can use a variety of apps on the display on the earphone case.

ADB was enabled by default, so I was able to connect to my PC and sideload DOOM.

Upon closer inspection, they were able to see where and how the device was communicating, and discovered that an OpenAI API key was stored on the device.

In addition, we found system prompts such as, 'Replying with more than 150 words separated by spaces is strictly prohibited. Also, political replies in Chinese are prohibited.'

When they extracted the store apps that were installed on the device and installed them on another device, they found that most of the apps appeared to have been ripped directly from a third-party app distribution site called apkpure.com.

We also found that the chat history was stored in the cn (China) domain. When saving the chat history, it included the chat content, model, responses, and device ID (IMEI).

They were also able to unearth past chat history using the device ID that was vaguely visible in the tutorial video.

When trying to guess the device ID and bind the app, the ChatGPT username may be displayed, which may allow researchers to obtain other people's chat history.

A blogger who verified this issue reported it to IKKO, and discovered that the API no longer worked, and after maintenance, the endpoint for retrieving chat history now required a 'signature' header, making it impossible to retrieve chat history without a valid account token.

On the social site Hacker News, comments such as 'First of all, I like trying DOOM,' 'Ikko's email replies are like AI,' and 'The fact that they responded honestly to vulnerability reports is something that I can appreciate more than the majority of other companies' have been posted.