DeepSeek, which has emerged very quickly in the small world of AI thanks to its cheap and powerful models, is not without reproach. NowSecure has produced an alarming study on the relative security of the iOS application, which has implications for data confidentiality.
A threat to security and confidentiality of data
It turns out that the app transmits certain sensitive data without encryption, in fact exposing users to potentially devastating attacks. DeepSeek disables Apple’s ATS (App Transport Security) protection, which imposes the use of secure HTTPS connections by default. An attacker can intercept this data by monitoring network traffic.
Taken in isolation, each data collected by DeekSeek does not do much harm. But the aggregation of this information potentially allows users to be tracked and identified. A hacker would also be able to modify data in transit (man-in-the-middle attacks) and compromise the integrity and confidentiality of an exchange.
And in cases where the application does use encryption to transmit data (for user identifiers, certain communications with the server, etc.), the method used is weak. The 3DES algorithm has been considered insecure for years.
In addition, the encryption keys are hard-coded in the application's source code, which exposes them to malicious exploitation by a hacker who has recovered them (this is possible without having physical access to the device). An encryption key is supposed to remain secret, but in DeepSeek, it is written in the application's code.
The study also reveals that the application transmits data to servers located in China and controlled by... Bytedance, the creator of TikTok. They are therefore stored under a jurisdiction that has little regard for confidentiality and gives enormous surveillance power to Beijing. Which is also worth TikTok a possible ban in the United States.
Benoit Grunemwald, cybersecurity expert at ESET France, had confirmed this to 01net: "DeepSeek's confidentiality policy reveals that user data is stored on servers in China". This data can "include conversation history, downloaded files and other sensitive information".
It is therefore better to avoid DeepSeek like the plague to avoid problems! The bot is also the subject of several investigations, such as in Italy. Australia has banned the use of DeepSeek in its administration. And in the United States, a bill provides for up to 20 years in prison (!) for users of the Chinese service.
Source: NowSecure
0 Comments