Today's AI/ML headlines are brought to you by ThreatPerspective
| Follow @DigEventHorizon |
| Follow @DigEventHorizon |
A new mobile app called DeepSeek has been found to be sending sensitive data over unencrypted channels, raising concerns about its commitment to data security. Despite Apple's recommendations for implementing App Transport Security (ATS) protocols, the app appears to be disabling this feature globally, leaving users' personal data vulnerable to potential threats.
Recently, a mobile security company named NowSecure conducted an audit on the DeepSeek AI chatbot app, which has been causing quite a stir in the AI world due to its surprisingly robust simulated reasoning capabilities. The app climbed to the top of the iPhone App Store's "Free Apps" category within days of its release and has even surpassed ChatGPT in terms of performance. However, this impressive feat comes with several glaring security concerns that have left experts scratching their heads.
According to NowSecure, the DeepSeek AI chatbot app sends sensitive data over unencrypted channels, making it readable to anyone who can monitor the traffic. This is a clear violation of Apple's recommendations for implementing App Transport Security (ATS) protocols to ensure secure data transmission. For reasons that are yet unknown, ATS appears to be globally disabled in the app, leaving users' personal data exposed to potential threats.
The data being transmitted is not limited to just sensitive information; it also includes basic security-related data such as the organization ID, version of the software development kit used to create the app, user OS version, and language selected in the configuration. This type of data transmission raises serious concerns about data privacy and security.
Furthermore, the app sends this data unencrypted to servers controlled by ByteDance, a Chinese company that owns TikTok. While some of the data is properly encrypted using Transport Layer Security (TLS), the lack of encryption on other channels leaves users vulnerable to potential attacks. This raises significant questions about the security practices employed by DeepSeek and its intentions for collecting user data.
NowSecure's audit has found several concerning behaviors in the app, including the use of a symmetric encryption scheme known as 3DES or triple DES, which was deprecated by NIST following research that showed it could be broken in practical attacks. This raises concerns about the effectiveness of DeepSeek's encryption methods and its commitment to data security.
Another alarming finding is that the app's symmetric keys are hardcoded into the app and stored on the device. This means that even if the app is compromised, an attacker would still have access to these keys, allowing them to decrypt any sensitive information being transmitted by the app.
NowSecure co-founder Andrew Hoog stated that "There are fundamental security practices that are not being observed, either intentionally or unintentionally. In the end, it puts your and your company's data and identity at risk." He also noted that organizations should remove DeepSeek from their environment due to privacy and security risks.
Representatives for both DeepSeek and Apple did not respond to an email seeking comment on these findings. However, NowSecure's report has brought attention to the need for greater transparency and accountability in AI development and deployment, particularly when it comes to data security and user protection.
| Follow @DigEventHorizon |