• Purchase and Unboxing: The author saw the earbuds in a Mrwhosetheboss video and bought them for 245 euros. The box had a USB-c cable on the outside and a smaller one inside. There was a suspicion about the use of the OpenAI logo.
• Device Features: The device boots to a screen with ChatGPT and has other AI features like translations. There are apps in the IKKO store including Spotify and Subway Surfers. The audio quality is poor with default EQ profiles but can be improved.
• Hacking Attempts: There is no direct browser to download apps. Enabling developer mode by clicking the build number 7 times doesn't work. But ADB is enabled when plugged into a PC. After sideloading DOOM, the author inspected the ChatGPT integration. It communicates directly with OpenAI and has an encrypted file with endpoints and keys. The device also has different modes and logs chats. The store app seems to be ripped from apkpure.com.
• Companion App: There is a companion app to interface with ChatGPT and see previous chats. It queries an API with the account token and device ID. The author found that the API has no authentication other than the device ID and can expose sensitive information like chat history and usernames.
• Security Response: The author sent an email to IKKObuds. After that, they locked down the app and put it in maintenance. They also wanted to be a sponsor. The API now requires a "signature" header for getting chat history. The device update broke ChatGPT functionality on other devices and the keys remain on the device.
• Update (13-01-2025): The device was rooted with help. They now check the device's IMEI before using ChatGPT integration and use a proxy API without authentication. The old ChatGPT API key has been rotated.