Experts Flag Security, Privacy Risks in DeepSeek AI App – Krebs on Security
New mobile applications from the Chinese company of artificial intelligence (AI) Deepseek remained in one of the three best “free” downloads for Apple and Google devices since their debut on January 25, 2025. But experts warn that many of the DeepSeek design elections, such as using solid encryption keys, and sending an unknown user and device data for Chinese companies – present a number of bright safety and confidentiality risks.
The public interest in the DEPSEEK AI chat applications increased after widespread media reports that the Chinese artificial intelligence company managed to correspond to the abilities of advanced chat bots using part of the specialized computer chips, which are relied by the leading AI companies. At the time of writing this article, DeepSeek is the third most loaded “free” application in the Apple Store and No. 1 in Google Play.
The rapid growth of Deepseek has attracted the attention of the mobile security of the company NowThe Chicago company that helps customers check mobile applications to ensure safety and threats of confidentiality. In the gap of the DeepSeek application, published today, now I called on the organization to delete the DeepSeek iOS mobile application from their midst, citing security problems.
Now the founder Andrew Hai They said that they had not yet completed an in -depth analysis of the DeepSeek application for Android Devices, but that there is no reason to believe that its basic design will be functionally very different.
Khug said KrebsonSecurity that there were several qualities in the Deepseek iOS application, which suggest the presence of deep -rooted safety and confidentiality risks. To begin with, according to him, the application collects a lot of data about the user device.
“They make some very interesting things that are on the verge of extended fingerprints of the devices,” said Hug, noting that one property of the application monitors the name of the device, which for many iOS devices by default in the name of the client, accompanied by the type of iOS device.
Information about the device, general, in combination with the user and data collected in mobile advertising companies, can be used to deanonize the users of the DeepSeek iOS application, now warns. The report notes that DeepSeek communicates with VukginCloud platform developed Butterfly (Creators Tiktok), although now it is not clear that it is not clear whether the data uses simply cloud services of the BYTEDANCE digital transformation or if the declared information spreads more between two companies.
Image: Now.
It is possible that it is even more important, now said that the iOS application transmits information about the device “clean” without any encryption for the incapsulation of data. This means that the data processed by the application can be intercepted, read, and even changed by anyone who has access to any of the networks that carry the application traffic.
“The DeepSeek iOS application globally disconnects the safety of application transport (ATS), which is a protection of the iOS platform, which prevents the sending of confidential data on unenficalized channels,” the report said. “Since this defense is disabled, the application can (and makes) send unnecessed data over the Internet.”
Hug said that the application selectively encrypts parts of the answers coming from Deepseek servers. But they also found that he uses an unsafe and now outdated encryption algorithm, called 3DES (aka triple des), and that the developers hardened the encryption key. This means that the cryptographic key necessary to decipher these data fields can be extracted from the application itself.
Other, less alarming security and confidentiality problems were identified in the report, but Hug said that he was sure that additional, invisible security problems are hidden in the application code.
“When we see that people are showing really simplified coding mistakes, when you dig deeper, there are usually many more problems,” Hug said. “There is practically no priority regarding security or confidentiality. Whether it is a cultural, or prescribed by China, or the choice of wit, taken together, they indicate a significant elimination of safety and confidentiality control, and this is at risk of the company. ”
Apparently, many others share this point of view. Axios On January 30, it was reported that the US Congress offices warn not to use the application.
“[T]Hreat actors are already operating DeepSeek for the delivery of malware and infection devices, ”read the notification of the main administrative employee of the House of Representatives. “To soften these risks, the house took security measures to limit the functionality of Deepseek on all devices released by the house.”
Techcrunch It reports that Italy and Taiwan have already crossed to ban Deepseek about security problems. Bloomberg Writes this Pentagon Blocked access to Deepseek. CNBC speaks NASA also prohibited employees to use the service, as well as US NavyField
In addition to security problems associated with the DEPSeek iOS application, there are signs that the Chinese company can play quickly and freely with the data that it collects from users and about them. January 29 researchers in Workshop They said that they discovered a public database related to Deepseek, which revealed “a significant amount of chat history, bacand data and confidential information, including magazine flows, API secrets and operational details”.
“More critically, the impact made it possible to fulfill the full control of the database and the potential escalation of privileges in the DeepSeek environment, without any authentication or protective mechanism for the outside world,” visa wrote. [Full disclosure: Wiz is currently an advertiser on this website.]
KrebsonSecurity was looking for a commentary on the report from Deepseek and Apple. This story will be updated by any main answers.