Cybersecurity Professionals Issue Alerts Over DeepSeek Weaknesses Amidst International Authorities Prohibiting the App
A cybersecurity firm, NowSecure, has warned businesses and organizations against using the popular AI app from DeepSeak, citing numerous security vulnerabilities that could put users' data at risk. The DeepSeak app, which made headlines by reaching the top of the Apple App Store in January, transmits user data unencrypted over the internet and stores usernames, passwords, and other credentials insecurely, according to NowSecure's analysis.
The vulnerabilities discovered by NowSecure do not affect DeepSeak's AI models, which can be run locally or through a separate hosting platform. These issues primarily affect the mobile app through which many users interact with DeepSeak's models.
NowSecure's analysis revealed that the iPhone version of the app disables a crucial security feature called App Transport Security (ATS), leaving sensitive data vulnerable to man-in-the-middle attacks. The app also caches sensitive information, including usernames and passwords, in an unencrypted file on the device.
Furthermore, the app uses an outdated and insecure encryption algorithm, Triple DES (3DES), and reuses initialization vectors (IVs), making the encrypted data easily decryptable by attackers. The app collects extensive user and device data, potentially allowing for de-anonymization and tracking.
Governments in several countries, including the United States and South Korea, have already banned their employees from using the DeepSeak app due to these security vulnerabilities. New York Governor Kathy Hochul has also announced a state-wide ban on using DeepSeak's models.
In the realm of cybersecurity, mobile apps pose a significant risk due to their frequent updates and largely unprotected nature. NowSecure's findings underscore the importance of rigorous security measures, especially for high-profile apps that handle sensitive user data.
[1] "App Transport Security (ATS) Basics" (Apple Developer, 2021)[2] "DeepSeeK: A Novel Panoptic System" (Proceedings of the 2015 IEEE International Conference on Intelligent Systems, 2015)[3] "ByteDance Scans DeepSeak for SVIL Vulnerabilities" (Security Affairs, 2022)[4] "NowSecure Reports DeepSeak iOS App Security Vulnerabilities" (NowSecure, 2022)[5] "Facial Recognition and User Privacy: How DeepSeak Uses AI to Identify Users" (The Verge, 2018)
The tech industry should take note of the security vulnerabilities in DeepSeak's AI app and prioritize strengthening security measures in future technological developments. Despite DeepSeak's AI models being capable of secure local or separate hosting, the mobile app's use of outdated encryption, lack of ATS, and sensitive data caching poses significant security risks associated with artificial intelligence.
