What You Need To Know About DeepSeek Security Issues and Vulnerabilities
What Is DeepSeek?
DeepSeek, a Chinese artificial intelligence (AI) startup, has gained rapid adoption and popularity across enterprises for automation and research. But alongside its capabilities come real security and privacy challenges. From the potential for SQL injection scenarios to concerns about data flows to Chinese state-linked entities, organizations must treat these models as both innovation tools and emerging sources of risk.
What are DeepSeek Security Issues?
What are DeepSeek vulnerabilities?
SecurityScorecard researchers identified concerns about DeepSeek data flowing to Chinese state-owned entities and ByteDance, raising important questions about data sovereignty and national security.
Key DeepSeek Vulnerabilities to Watch
Our researchers identified several issues with DeepSeek, from privacy and encryption issues to concerns with data flows:
- Critical security flaws
- Anti-debugging mechanisms that are designed to obstruct security analysis
- DeepSeek stores data on servers in China, which could indicate that the Chinese government can gain access to the data given laws in China
- Code analysis shows integration with ByteDance services, raising concerns about data collection and remote control
- The app requests permissions for internet access, phone state, and location
- DeepSeek asks for device model, operating system, IP address, and keystroke patterns or rhythms
- Hardcoded encryption keys
- Improper file permissions
- Weak cryptographic algorithms
- Common weaknesses that can allow for remote code execution
- Passwords and authentication tokens stored in plaintext, which can increase the risk for account takeover
- The potential for SQL injection attacks
Looking Forward: Integration Concerns
SecurityScorecard researchers delved in deep and identified a plethora of other issues, such as how some of these issues may impact compliance with frameworks such as the European Union’s GDPR.
Analysis of network requests and responses identified no known tactics, techniques, or procedures (TTPs) that would indicate malicious behavior. But the above concerns remain.
Take a closer look at the SecurityScorecard’s STRIKE Team research on DeepSeek to know how to assess the risk here.
Global National Security and Regulatory Concerns
Governments and regulatory bodies around the world have begun to scrutinize—and in some places ban use of—DeepSeek, given its privacy and security risks. Concerns fall into several buckets, including opaque policies and unauthorized transmission of data.
- Australia: The Australian government has banned DeepSeek from government systems due to unacceptable security risks with the platform.
- France: France’s data protection authority has raised alarm over DeepSeek and said it would ask questions of the app.
- Ireland: The Data Protection Commission reached out to Chinese authorities with questions about storage of personal data on servers in China. The commission requested information on the nature of the personal data collected, the source of data collection, the purposes for collection, the legal reason for processing the data, and how and where it is stored.
- Italy: The Italian Data Protection Authority (Garante) has flagged concerns about DeepSeek, the types of personal data collected, the sources of data collection, the purposes for collection, and the legal basis for processing. After DeepSeek failed to address concerns about the app, Italy ordered a block on service.
- South Korea: South Korea has previously banned use of DeepSeek for government employees. South Korea’s data protection authority announced DeepSeek had collected personal data on users and transferred the information overseas without permission, including user-written AI prompts, as well as device, network, and app information.
- United Kingdom: British officials have said they would examine DeepSeek to ensure that safety measures are in place.
- United States: U.S. federal agencies have blocked DeepSeek in a number of reported cases. The U.S. Navy banned use of DeepSeek for personal or work reasons over potential security concerns, for instance. DeepSeek has also received congressional scrutiny.
Frequently Asked Questions
What are DeepSeek vulnerabilities?
SecurityScorecard researchers identified concerns about DeepSeek data flowing to Chinese state-owned entities, raising important questions about data sovereignty and national security. SecurityScorecard researchers also identified critical security flaws, hardcoded encryption keys, weak cryptographic algorithms, and the potential for SQL injection attacks.
Is DeepSeek safe to use?
SecurityScorecard analysis of network requests and responses identified no known tactics, techniques, or procedures (TTPs) indicating malicious behavior. But concerns about data flows to China, critical security flaws, and potential for remote code execution remain.
Which countries are taking action against DeepSeek?
Numerous national authorities around the globe are reportedly scrutinizing DeepSeek given security and privacy concerns, including the United States, Australia, Italy, Ireland, and South Korea. Some countries have banned DeepSeek use in government agencies.
Protect Your Supply Chain with Real-Time Threat Detection
SecurityScorecard’s SCDR solution offers continuous monitoring of your third-party ecosystem, enabling swift identification and mitigation of cyber threats. Enhance your organization’s resilience by proactively managing supply chain risks.
