Target Industry

Indiscriminate, opportunistic targeting. This vulnerability affects all users of the DeepSeek iOS app, particularly those concerned with mobile security, privacy, and artificial intelligence applications. 

Overview

A security audit of the DeepSeek iOS app has uncovered significant vulnerabilities, most notably its failure to encrypt sensitive user and device data when transmitting over the internet. This leaves the information susceptible to interception and manipulation by malicious actors.

The security assessment, conducted by NowSecure, identified multiple encryption flaws, including: 

• Transmission of registration and device data over the internet without encryption. 

• Use of an outdated and insecure symmetric encryption algorithm (3DES). 

• Hard-coded encryption keys and the reuse of initialisation vectors. 

• Global disabling of iOS App Transport Security (ATS), which permits unencrypted data transmission. 

Additionally, the app transmits data to servers operated by Volcano Engine, a cloud service owned by ByteDance, the parent company of TikTok. This has raised privacy concerns due to potential exposure to Chinese data regulations. 

Impact

The lack of encryption significantly increases the risk of: 

• Data interception: Threat actors can passively capture unencrypted data sent from the app. 

• Man-in-the-middle (MITM) attacks: Attackers can actively modify intercepted data to inject malicious payloads or manipulate responses. 

• Data privacy concerns: Users’ personally identifiable information (PII) and device-related metadata could be accessed and potentially misused. 

• Regulatory scrutiny: The app’s security flaws and its Chinese affiliations have led to discussions about banning its use on government devices in multiple countries. 

Exploitation

There is no confirmed public proof-of-concept (PoC) exploit at this time. However, the unencrypted data transmission presents an opportunistic attack surface for threat actors conducting traffic interception and data theft. 

Threat Landscape

The widespread use of AI chatbot services like DeepSeek has made them attractive targets for threat actors. DeepSeek has been observed being exploited in various ways, including: 

• Use by cybercriminals to develop information stealers, generate uncensored content, and optimise spam campaigns. 

• Malicious exploitation via AI-jailbreaking techniques to facilitate the spread of illicit content. 

• Distributed denial-of-service (DDoS) attacks, with reports indicating sustained attacks from Mirai botnets, including hailBot and RapperBot. 

Additionally, fraudulent websites have emerged, impersonating DeepSeek to distribute malware, investment scams, and cryptocurrency frauds. 

Threat Group Attribution

There is no direct attribution to a specific threat group at this time. However, reports indicate that AI tools, including DeepSeek, have been leveraged by various cybercriminal actors and state-sponsored groups to enhance malicious campaigns. 

Tactics, Techniques, and Procedures (TTPs) 

Containment, Mitigations & Remediations

• Users should avoid using DeepSeek until security patches are implemented. 

• Use a VPN or secure network to reduce the risk of traffic interception. 

• Monitor network traffic for anomalies associated with unencrypted data transmissions. 

• Organisations should consider blocking DeepSeek traffic on enterprise networks until security concerns are addressed. 
• Check for alternative AI chatbot services with more secure data handling policies. 

Further Information

1. The Hacker News article  
2. NowSecure blog  
3. Bleeping Computer news article 
4. Forbes article