DeepSeek Exposes Sensitive Data
An audit of DeepSeek's mobile app for the Apple iOS operating system has found serious security issues, the most important being that that it sends sensitive data over the Internet without any encryption, exposing it to interception and manipulative attacks.
The research carried out by NowSecure, also found that the app fails to adhere to best security practices and that it collects extensive user and device data. "The DeepSeek iOS app sends some mobile app registration and device data over the Internet without encryption," the company has said.
"This exposes any data in the Internet traffic to both passive and active attacks." the report observes.
NowSecure researchers also found several implementation weaknesses when it comes to applying encryption on user data. This includes the use of an insecure symmetric encryption algorithm (3DES), a hard-coded encryption key, and the reuse of initialisation vectors. What's more, the data is sent to servers that are managed by a cloud compute and storage platform named Volcano Engine, which is owned by ByteDance, the Chinese company that also operates TikTok. "The DeepSeek iOS app globally disables App Transport Security (ATS) which is an iOS platform level protection that prevents sensitive data from being sent over unencrypted channels,"
NowSecure said. "Since this protection is disabled, the app can (and does) send unencrypted data over the internet."
The findings add to an increasing list of concerns that have been raised around the DeepSeek AI) chatbot service, since it jumped to the top of the app store charts on both Android and iOS in several national markets.
- The leading cyber security company, Check Point, has observed instances of threat actors leveraging AI engines from DeepSeek, alongside Alibaba Qwen and OpenAI ChatGPT, to develop information stealers, generate uncensored or unrestricted content, and optimise scripts for mass spam distribution.
"As threat actors utilise advanced techniques like jailbreaking to bypass protective measures and develop info stealers, financial theft, and spam distribution, the urgency for organisations to implement proactive defenses against these evolving threats ensures robust defenses against potential misuse of AI technologies," Check Point said.
- The Associated Press has published a report that DeepSeek's website is configured to send user login information to China Mobile, a state-owned telecommunications company that has been banned from operating in the United States.T
The app's Chinese ownership, in the same way as TikTok, have prompted US lawmakers to ask for a US ban on DeepSeek from government devices over risks that it could provide user information to the Chinese government.
DeepSeek's popularity has also made it a target for attacks and Chinese cyber security firm XLab has reported that DeepSeek has been subjected to sustained distributed denial-of-service (DDoS) attacks deployed using a Mirai botnet network.
Given these substantial vulnerabilities, it seem s likely that cyber criminals will take advantage of DeepSeek to set up lookalike pages that propagate malware, fake investment scams, and fraudulent crypto schemes.
NowSecure | CheckPoint | Hacker News | Wikipedia | VolcenEngine | APNews | Global Times |
Image: Ideogram
You Might Also Read:
Australia Bans DeepSeek In Government Networks:
If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.
- Individual £5 per month or £50 per year. Sign Up
- Multi-User, Corporate & Library Accounts Available on Request
- Inquiries: Contact Cyber Security Intelligence
Cyber Security Intelligence: Captured Organised & Accessible
