Those looking for an AI tool to facilitate illegal activities might want to turn to DeepSeek. Experts have shown that the chatbot poses various risks, even when it’s not connected to Chinese servers.
Since DeepSeek made waves in the tech world last week, many have been raising the alarm. The warnings vary: some people are concerned about data being handed over to China, while others worry about psychological warfare from Beijing through the AI chatbot. Cisco researchers take a different approach. Without speculating further, it is already clear that DeepSeek is highly insecure.
100% failed
Cisco’s Robust Intelligence unit conducted the research in collaboration with the University of Pennsylvania. When 50 random prompts from the HarmBench dataset were tested on the chatbot, DeepSeek scored 100 percent—meaning that every malicious attempt was accepted without fail. Everything from phishing emails to misinformation and generally harmful content was quickly retrieved.
This starkly contrasts chatbots from OpenAI, Google, Anthropic, and others, which have robust “guardrails” in place to keep AI output in check. Only Meta’s open-source Llama 3.1 model, with its 405 billion parameters, comes close to DeepSeek-R1’s “perfect” score, achieving 96 percent. Since DeepSeek-R1 is a refined version of DeepSeek-V3, the researchers suggest that reinforcement learning, chain-of-thought evaluations, and distillation processes undermined V3’s safeguards. For those seeking a secure, out-of-the-box AI model with strong reasoning capabilities, the options are limited to OpenAI’s o1 or the new o3-mini.
Still, the researchers acknowledge that DeepSeek-R1 cannot be dismissed outright. This AI model’s performance is impressive, given its low operating cost. Moreover, organizations can run R1 on their IT infrastructure or purchase it from a Western provider. However, to use it securely, users must implement their own guardrails or choose a vendor that has already done so. For example, IBM offers only distilled DeepSeek variants, which are essentially Meta’s Llama and Alibaba’s Qwen enhanced with additional reasoning skills.
More unsafe issues
DeepSeek’s problems don’t stop there. Last week, Wiz revealed that it had been able to access an open database, exposing users’ chat history, among other things. Later, researchers at Wallarm discovered that DeepSeek’s system prompt could be unravelled. This is considered a jailbreak of DeepSeek’s chatbot, as the prompt is supposed to remain secret. It contains instructions that, for example, prevent DeepSeek from discussing sensitive topics such as China’s view on Taiwan or its treatment of the Uighurs.
DarkReading then provided this system prompt to ChatGPT (using GPT-4o) and asked whether it was similar to the instructions given to OpenAI’s chatbot. OpenAI’s system prompt is less restrictive and allows for more creativity when handling malicious content compared to DeepSeek’s.
This is, without a doubt, an impressive achievement for OpenAI. The company has managed to keep its chatbot in line more effectively than other AI providers. At the same time, exactly how OpenAI accomplished this remains unclear, as the company is unwilling to share those details with the public.
Also read: Italy blocks Chinese DeepSeek over privacy concerns