web analytics

Chinese DeepSeek AI App: FULL of Security Holes Say Researchers – Source: securityboulevard.com

chinese-deepseek-ai-app:-full-of-security-holes-say-researchers-–-source:-securityboulevard.com
Rate this post

Source: securityboulevard.com – Author: Richi Jennings

The DeepSeek app icon on an iPhone home screeniPhone app sends unencrypted data to China—and Android app appears even  worse.

DeepSeek has yet another privacy palaver. Researchers say its AI apps are horribly insecure. Outdated encryption, hardcoded keys and plain-text chattiness are just three of the problems they found.

And now, Congress wants to ban the app—just like they did to TikTok. In today’s SB  Blogwatch, we ignore previous instructions.

Your humble blog­watcher curated these bloggy bits for your enter­tain­ment. Not to mention:  NNW.

Xi Knows if You’ve Been Bad or Good

What’s the craic? Natalie Andrews reports: Lawmakers Push to Ban DeepSeek App From U.S. Government Devices

DeepSeek didn’t respond
The legislation written by Reps. Darin LaHood, an Illinois Republican, and Josh Gottheimer, a New Jersey Democrat, is echoing a strategy that Congress used to ban … TikTok from government devices. … The two are the top Republican and Democrat respectively on a subcommittee of the House Select Committee on Intelligence.

The chatbot for the Chinese startup is now the most downloaded app in the U.S. … The chatbot app, however, has intentionally hidden code that could send user login information to China Mobile, … according to an analysis by Ivan Tsarynny, [which] pushed LaHood and Gottheimer to develop the legislation.

DeepSeek didn’t respond to a request for comment.

Techstrong Gang Youtube

AWS Hub

For the record, it’s Jonathan Greig: Lawmakers push for DeepSeek ban from federal devices over China concerns

Flood of security reports
Gottheimer compared the situation with DeepSeek to China’s control over TikTok’s algorithm and data, warning that the U.S. “cannot allow it to happen again.” … The congressmen claimed Americans are “sharing highly sensitive, proprietary information” like contracts and financial records with a platform allegedly controlled by the CCP, which they called a “known foreign adversary.”

The bill verbalizes some of the concerns raised by much of the business community since DeepSeek emerged — namely the issue of where data put into the platform is held. … Since it debuted last month, a flood of security reports and warnings have emerged related to the platform.

A flood? You’re not kidding. Our own Nathan Eddy mentions some more: DeepSeek AI Model Riddled With Security Vulnerabilities

Major compliance risks
DeepSeek-R1 is significantly more prone to security failures than leading AI models. … One of the most pressing concerns surrounding DeepSeek-R1 is its data storage location. [It] stores user interactions in China, raising significant regulatory red flags for organizations that must comply with data protection laws such as … GDPR [and] CCPA.

This could create major compliance risks, particularly for businesses operating in jurisdictions with strict cross-border data transfer regulations.

And here’s the latest winceworthy analysis. Here’s Andrew Hoog: Multiple Security and Privacy Flaws in DeepSeek iOS Mobile App

Governed by China
[We] conducted a comprehensive security and privacy assessment of the DeepSeek iOS mobile app, uncovering multiple critical vulnerabilities that put individuals, enterprises, and government agencies at risk. These findings highlight the immediate need for organizations to prohibit the app’s use.

The app transmits sensitive data over the internet without encryption. [It] uses outdated Triple DES encryption, reuses initialization vectors, and hardcodes encryption keys. … Username, password, and encryption keys are stored insecurely. … User data is transmitted to servers controlled by ByteDance.

The issues listed above may lead to:
— Loss of intellectual property and sensitive data
— Compromised data integrity due to security flaws
— Tracking and surveillance from data collection
— Loss of control over data sent to and governed by China

Triple DES? Are you serious? Apple must share the blame, thinks ziddoap:

Obviously DeepSeek chose it by design, but the question is how it got past the app store reviewers. … Choosing an encryption algorithm that has been known to be insecure for a decade [is] either extreme carelessness or deceptive and malicious intent. Considering that use of the app store is … purportedly to keep users of iPhones secure, one would imagine that they would care.

And why is the data going to ByteDance? SeeUnknown thinks they know:

It is interesting that this DeepSeek app came out around the time that TikTok was supposed to be shutdown in the USA and now we know that DeepSeek is intimately tied to the ByteDance servers. It almost as if this DeepSeek thing was someone’s plan B.

Are you surprised, though? hdyoung isn’t:

Is there a single person on the planet making a Pikachu face about this? … At this point, the entire world knows that the Chinese government has access to pretty much anything.

The same goes for my own country (US), except I trust the US way more. Are they watching me? Definitely. But I’ve never been called to the local police station for “re-education” because my online posts were “disrupting society.”

So, that’s alright then? Fr00tL00ps ain’t got no time for that:

This complacency is the biggest problem of all, particularly for Gen Z and younger. They only know life in the digital world, where Western corporate practices have slowly eroded all manner of privacy: They don’t know any different and could not care less. Who can blame them when your only choice is … US tech giants abusing your data, or the Chinese government.

I applaud the courage and actions of the EU in leading the way in protecting its citizens from … the mass harvesting of private and personal data … by corporations today. Bravo. One can only hope that other jurisdictions take note, but I’m not going to hold my breath.

OK, but what about the government ban? Pascal Monett waxes apoplectic:

What the **** is wrong with the US Government? Government devices should only have government-approved applications. … Or am I supposed to infer that every government employee has admin access to his PC/phone and can install whatever they want?

Either government employees only have the stuff IT lets them, or it’s a free-for-all and DeepSeek is just another layer of insecurity on top of FaceBook, TikTok and a raft of other things that having absolutely nothing to do on a work computer/phone. So, which is it?

Meanwhile, should we switch to Android? mbac32768 did a static analysis of the DeepSeek Android app:

It does aggressive device fingerprinting, root detection, has anti-tampering mechanisms, bundles native code and has dynamic code loading and execution facilities. … None of which should be necessary for an app like this.

And Finally:

This is some amazing attention to detail

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weird­est web­sites—so you don’t have to. Hate mail may be directed to  @RiCHi, @richij, @[email protected], @richi.bsky.social or [email protected]. Ask your doctor before reading. Your mileage may vary. Past per­formance is no guar­antee of future results. Do not stare into laser with re­maining eye. E&OE. 30.

Image sauce: Saradasish Pradhan (via Unsplash; leveled and cropped)

Recent Articles By Author

Original Post URL: https://securityboulevard.com/2025/02/deepseek-ai-app-security-privacy-richixbw/

Category & Tags: Application Security,Cloud Security,Cyberlaw,Cybersecurity,Data Privacy,Data Security,DevOps,Endpoint,Governance, Risk & Compliance,Humor,Industry Spotlight,Malware,Mobile Security,Most Read This Week,Network Security,News,Popular Post,Security Awareness,Security Boulevard (Original),Social – Facebook,Social – LinkedIn,Social – X,Spotlight,Threats & Breaches,Vulnerabilities,AI,AI (Artificial Intelligence),AI privacy,application-level encryption,Artificial Intelligence,Artificial Intelligence (AI),Artificial Intelligence (AI)/Machine Learning (ML),Artificial Intelligence Cybersecurity,Artificial Intelligence News,artificial intellignece,Artificial Stupidity,artificialintelligence,breach of privacy,Bytedance,California Consumer Privacy Act,California Consumer Privacy Act (CCPA),china,china espionage,China Mobile,China-nexus cyber espionage,Chinese,Chinese Communists,chinese government,Chinese Internet Security,Chinese keyboard app security,Congress,congressional legislation,cybersecurity artificial intelligence,Darin LaHood,Data encryption,Data encryption standards,Data Stolen By China,DeepSeek,DeepSeek AI,encryption,Josh Gottheimer,Large Language Models (LLM),Large language models (LLMs),LLM,llm security,No DeepSeek on Government Devices Act,Peoples Republic of China,Privacy,SB Blogwatch,TikTok,TikTok Ban,Unencrypted Data,US Congress – Application Security,Cloud Security,Cyberlaw,Cybersecurity,Data Privacy,Data Security,DevOps,Endpoint,Governance, Risk & Compliance,Humor,Industry Spotlight,Malware,Mobile Security,Most Read This Week,Network Security,News,Popular Post,Security Awareness,Security Boulevard (Original),Social – Facebook,Social – LinkedIn,Social – X,Spotlight,Threats & Breaches,Vulnerabilities,AI,AI (Artificial Intelligence),AI privacy,application-level encryption,Artificial Intelligence,Artificial Intelligence (AI),Artificial Intelligence (AI)/Machine Learning (ML),Artificial Intelligence Cybersecurity,Artificial Intelligence News,artificial intellignece,Artificial Stupidity,artificialintelligence,breach of privacy,Bytedance,California Consumer Privacy Act,California Consumer Privacy Act (CCPA),china,china espionage,China Mobile,China-nexus cyber espionage,Chinese,Chinese Communists,chinese government,Chinese Internet Security,Chinese keyboard app security,Congress,congressional legislation,cybersecurity artificial intelligence,Darin LaHood,Data encryption,Data encryption standards,Data Stolen By China,DeepSeek,DeepSeek AI,encryption,Josh Gottheimer,Large Language Models (LLM),Large language models (LLMs),LLM,llm security,No DeepSeek on Government Devices Act,Peoples Republic of China,Privacy,SB Blogwatch,TikTok,TikTok Ban,Unencrypted Data,US Congress

Views: 1

LinkedIn
Twitter
Facebook
WhatsApp
Email

advisor pick´S post

Codrut Andrei
Secure Software Development Lifecycle Fundamentals by Codrut Andrei
Secure Software Development Lifecycle Fundamentals...
BUTTERWORTH-HEINEMANN
Security Operations Center Guidebook – A Practical Guide for a Successful SOC
Security Operations Center Guidebook –...
CISO Forum
CISO’s – First 100 Days Roadmap – Your success as a security leader is determined largely by your first 100 days in the role.
CISO’s – First 100 Days...
RedHat
State of Kubernetes Security Report 2022 by RedHat
State of Kubernetes Security Report...
National Cyber Security
Cyber Security Toolkit for Boards – Helping board members to get to grips with cyber security by NCSC
Cyber Security Toolkit for Boards...
Harvard Business Review
Boards Are Having the Wrong Conversations About Cybersecurity – Board interactions with the CISO are lacking – by Lucia Millica and Keri Pearlson – Harvard Business Review
Boards Are Having the Wrong...
Vendict
The 2024 CISO Burnout Report by Vendict
The 2024 CISO Burnout Report...
Mohammad Alkhudari
Cybersecurity Strong Strategy step by step Guide collected by Mohammad Alkhudari 2024
Cybersecurity Strong Strategy step by...
Marcos Jaimovich
The Silent Spectre Haunting Your Network: QPhishing, the CISO’s Unspoken Nightmare.
The Silent Spectre Haunting Your...
Marcos Jaimovich
Goodbye to Traditional: Why Conventional Cybersecurity Tools are No Longer Sufficient for the Future of Digital Threats ?
Goodbye to Traditional: Why Conventional...
Marcos Jaimovich
Why do we compare a SOC (Security Operations Center) with the cockpit of a commercial airplane? by Marcos Jaimovich
Why do we compare a...
Joas Antonio
Security Operations Center (SOC) – Tools for Operations Development by Joas Antonio
Security Operations Center (SOC) –...

LASTEST PUBLISHED POSTS

Cyberint
Retail Threat Landscape Report Q1-Q3 – November 2024 Summary by Cyberint a Check Point Company
Retail Threat Landscape Report Q1-Q3...
NCSC
Protecting Critical Supply Chains – A Guide to Securing your Supply Chain Ecosystem
Protecting Critical Supply Chains –...
Culture AI
Time to Adapt – The State of Human Risk Management in 2024 by Culture AI.
Time to Adapt – The...
National Cyber Security Centre
Engaging with Boards to improve the management of cyber security risk.
Engaging with Boards to improve...
Microsoft Security
2024 State of Multicloud Security Report by Microsoft Security
2024 State of Multicloud Security...
bugcrowd
Inside the Mind of a CISO 2024 The Evolving Roles of Security Leaders 2024 by bugcrowd
Inside the Mind of a...
Mohammad Alkhudari
Cybersecurity Strong Strategy step by step Guide collected by Mohammad Alkhudari 2024
Cybersecurity Strong Strategy step by...
Lacework
CISO’s Playbookto Cloud Security by Lacework
CISO’s Playbookto Cloud Security by...
MITRE - Carson Zimmerman
Ten Strategies of a World-Class Cybersecurity Operations Center by MITRE
Ten Strategies of a World-Class...
SILVERFRONT - AIG
Identity Has Become the Prime Target of Threat Actors by Silverfort AIG.
Identity Has Become the Prime...
CYZEA.IO
Enterprise Information Security
Enterprise Information Security
IGNITE Technologies
ENCRYPTED REVERSE
ENCRYPTED REVERSE

More Latest Published Posts

WORLD BANK GROUP
Global Cybersecurity Capacity Program
Global Cybersecurity Capacity Program
Gary Hinson
Getting started withsecurity metrics
Getting started withsecurity metrics
EDPS
Generative AI and the EUDPR.
Generative AI and the EUDPR.
Bright
2024 Guide to Application Security Testing Tools
2024 Guide to Application Security Testing Tools
HADESS
Hacker Culture
Hacker Culture
Quuensland Govermment
RISK ASSESSMENT PROCESS HANDBOOK
RISK ASSESSMENT PROCESS HANDBOOK
Ministry of MOS Security
HIPAA SIMPLIFIED
HIPAA SIMPLIFIED
Hacker Combat
How Are Passwords Cracked?
How Are Passwords Cracked?
CIS - Center for Internet Security
How to Plan a Cybersecurity Roadmap in Four Steps
How to Plan a Cybersecurity Roadmap in Four Steps
ACSC Australia
Information Security Manual
Information Security Manual
Kaspersky
Incident Response Playbook: Dark Web Breaches
Incident Response Playbook: Dark Web Breaches
ninjaOne
Endpoint Hardening Checklist
Endpoint Hardening Checklist
HADESS
Important Active Directory Attribute
Important Active Directory Attribute
ISA GLOBAL CYBERSECURITY ALLIANCE
IIoT System Implementation and Certification Based on ISA/IEC 62443 Standards
IIoT System Implementation and Certification Based on ISA/IEC 62443 Standards
Rajneesh Gupta
IAM Security CHECKLIST
IAM Security CHECKLIST
sqrrl
Hunt Evil
Hunt Evil
Searchinform
How to protect personal data and comply with regulations
How to protect personal data and comply with regulations
Giuseppe Manco
Threat Intelligence Platforms
Threat Intelligence Platforms
CSA Cloud Security Alliance
Hardware Security Module(HSM) as a Service
Hardware Security Module(HSM) as a Service
IGNITE Technologies
CREDENTIAL DUMPING FAKE SERVICES
CREDENTIAL DUMPING FAKE SERVICES
IGNITE Technologies
A Detailed Guide on Covenant
A Detailed Guide on Covenant
NIST
Computer Security Incident Handling Guide
Computer Security Incident Handling Guide
IGNITE Technologies
DIGITAL FORENSIC FTK IMAGER
DIGITAL FORENSIC FTK IMAGER
Accedere
Cloud Security Assessment
Cloud Security Assessment
YL VENTURES
CISO Reporting Landscape 2024
CISO Reporting Landscape 2024
CISO Edition
Reporting Cyber Risk to Boards
Reporting Cyber Risk to Boards
CIOB
CIOB Artificial Intelligence (AI) Playbook 2024
CIOB Artificial Intelligence (AI) Playbook 2024
INCIBE & SPAIN GOVERNMENT
Nuevas normativas de 2024 de ciberseguridad para vehículos
Nuevas normativas de 2024 de ciberseguridad para vehículos