The DeepSeek mobile application for iOS has been found to have significant security vulnerabilities. A recent audit revealed that the app transmits sensitive user and device data over the internet without encryption, making it susceptible to interception and manipulation by malicious actors.

Security Audit Findings

Conducted by NowSecure, the audit highlighted that DeepSeek fails to comply with essential security protocols. The app collects extensive user and device information and transmits it without encryption, exposing it to both passive and active cyber threats.

Encryption Weaknesses

The audit uncovered several flaws in the app's encryption implementation. These include the use of an insecure symmetric encryption algorithm (3DES), a hard-coded encryption key, and the reuse of initialization vectors. Such weaknesses significantly undermine the security of user data.

  • Insecure Algorithm: Utilizes 3DES, which is considered outdated and insecure.
  • Hard-Coded Key: Encryption keys are embedded within the app, making them vulnerable to discovery.
  • Initialization Vector Reuse: Reusing vectors can lead to predictable encryption patterns.

Data Transmission Concerns

The data collected by DeepSeek is sent to servers operated by Volcano Engine, a cloud platform owned by ByteDance, the parent company of TikTok. This raises additional privacy concerns due to the app's connection to a Chinese-owned entity.

App Transport Security Disabled

DeepSeek globally disables App Transport Security (ATS), a crucial iOS feature that prevents data from being sent over unencrypted channels. This decision allows the app to transmit unencrypted data, further compromising user privacy.

Broader Implications and Threats

The vulnerabilities in DeepSeek add to the growing concerns surrounding AI chatbot services. Cybersecurity firm Check Point has reported that threat actors are exploiting AI engines from DeepSeek, Alibaba Qwen, and OpenAI ChatGPT to create information stealers and optimize spam scripts.

Threat Actor Techniques

Cybercriminals are using advanced methods such as jailbreaking to bypass security measures and develop tools for financial theft and spam distribution. This highlights the need for organizations to adopt proactive defenses against these evolving threats.

International and Political Reactions

DeepSeek's ties to China have prompted several countries, including the United States, to consider banning the app from government devices. Concerns center around the potential for user data to be shared with Beijing, similar to the controversies surrounding TikTok.

Global Bans

Countries like Australia, Italy, the Netherlands, Taiwan, and South Korea, along with U.S. government agencies such as NASA and the Pentagon, have already restricted the use of DeepSeek on official devices.

The link has been copied!