Source URL: https://krebsonsecurity.com/2025/02/experts-flag-security-privacy-risks-in-deepseek-ai-app/
Source: Krebs on Security
Title: Experts Flag Security, Privacy Risks in DeepSeek AI App
Feedly Summary: New mobile apps from the Chinese artificial intelligence (AI) company DeepSeek have remained among the top three “free" downloads for Apple and Google devices since their debut on Jan. 25, 2025. But experts caution that many of DeepSeek’s design choices — such as using hard-coded encryption keys, and sending unencrypted user and device data to Chinese companies — introduce a number of glaring security and privacy risks.
AI Summary and Description: Yes
Summary: The text discusses significant security and privacy concerns associated with the DeepSeek AI mobile apps, highlighting their potential risks due to poor encryption practices and data handling. Notably, experts warn organizations about the app’s ability to expose sensitive user data, leading to bans from various governmental and military agencies, drawing attention from security firms.
Detailed Description:
The emergence of DeepSeek’s mobile apps has raised alarms among security and privacy professionals due to several critical vulnerabilities:
– **Security Vulnerabilities**:
– The app utilizes hard-coded encryption keys, making it easily exploitable since the key can be extracted from the app.
– It communicates data without encryption, putting user information at significant risk of interception.
– The app disables App Transport Security (ATS), a security feature designed to ensure data integrity and confidentiality when transmitted over the internet.
– **Data Privacy Risks**:
– DeepSeek collects extensive data about users’ devices, potentially leading to deanonymization.
– The information sent to external platforms, including Volcengine (from ByteDance), raises concerns about possible data sharing without user consent.
– **Poor Coding Practices**:
– The app deploys an old and insecure encryption algorithm (3DES), highlighting a lack of focus on modern security practices.
– The detection of simplistic coding errors indicates a deeper potential for undiscovered security issues.
– **Organizational Responses**:
– Organizations such as the U.S. Congress, Pentagon, and NASA have issued warnings or outright bans on using the app due to these security risks.
– Reports suggest that malicious actors are exploiting vulnerabilities within DeepSeek to deliver malware.
– **Public Data Exposure**:
– A database linked to DeepSeek was found publicly accessible, compromising sensitive information like chat histories and operational details without proper security measures.
Overall, security and compliance professionals should be alert to the vulnerabilities presented by DeepSeek and take proactive measures to safeguard their environments against these types of apps. The situation serves as a reminder of the importance of rigorous security assessments, especially with new technology from less-regulated markets.