CrowdStrike says DeepSeek-R1 produces more security vulnerabilities in response to prompts that contain topics deemed politically sensitive by China. The Chinese AI company previously attracted national security concerns, leading to a ban in many countries. In a statement released earlier this month, Taiwan's National Security Bureau warned citizens to be vigilant when using Chinese-made generative AI (GenAI) models.
"The five GenAI language models are capable of generating network attacking scripts and vulnerability-exploitation code that enable remote code execution under certain circumstances," the NSB said in a statement. The research found that mentions of Falun Gong, Uyghurs, or Tibet lead to significantly less secure code, indicating "significant deviations," CrowdStrike said. Additionally, the company claimed to have found what seems to be a "intrinsic kill switch" built into the DeepSeeks platform.
DeepSeek declined to write code for the Falun Gong, a Chinese-banned religious movement. This comes after OX Security discovered that AI code builder programs like Lovable, Base44, and Bolt automatically produce insecure code. The results also align with a SquareX report that discovered a security flaw in Perplexity's Comet AI browser that permits built-in extensions to run arbitrary local commands on a user's device without authorization.
"This inconsistency highlights a fundamental limitation of AI-powered security scanning," stated Eran Cohen of OX Security. "Because AI models are non-deterministic by nature, they may produce different results for identical inputs," he continued. "When applied to security, this means the same critical vulnerability might be caught one day and missed the next
- making the scanner unreliable," he explained.