Lately, there has been a lot of buzz about DeepSeek, and its popularity has even given a dent to the deemed leaders of the industry, but a recent dig into the security aspects of Deepseek done by NowSecure revealed some interestingshortcomings in the product. The firm assessed DeepSeek’s installation on the iOS operating system, and a shocking flaw was discovered, which showed that DeepSeek transmits sensitive data over the internet without any encryption, making it vulnerable to interception and manipulation attacks.
The security assessment highlighted a gap in keeping user data secure. It does not enforce encryption on user data, and where applicable, it uses an insecure symmetric encryption algorithm (3DES), a hard-coded encryption key, and the reuse of initialization vectors. The assessment shows that the product fails to adhere to best security practices, and it collects extensive user and device data.
The audit of DeepSeek observed that the data gets transmitted to some servers, which are under the management of Volcano Engine, which is a cloud computing and storage platform owned by ByteDance, the same Chinese company operating TikTok. NowSecure highlighted another issue in which the DeepSeek iOS app globally disables App Transport Security (ATS), which is an iOS security protection that prevents transmission of unencrypted sensitive data.
Though there is a lot of buzz about the future of DeepSeek, as of now, several countries, including Australia, Italy, the Netherlands, Taiwan, and South Korea, and government agencies in India and the United States, which includes NASA, the Congress, Pentagon, Navy, and Texas, have initiated bans on DeepSeek from government devices. At the same time, users are also advised to practice cognizance while taking a dip at DeepSeek, as malicious actors are also looking to encash this frenzy to trap users, deliver malware, and execute scams.
