DeepSeek’s large language model, R1, has faced increasing scrutiny over its security weaknesses. While the firm maintains that R1 performs well on reasoning tasks, recent security studies have exposed a number of vulnerabilities that seriously call into question how robust models are against such an attack.
Performance versus Security: A Double-Edged Sword
DeepSeek-R1 is designed as a reasoning model, similar to OpenAI’s o1, leveraging reinforcement learning to perform complex tasks. As of January 31, 2025, R1 holds the sixth position on the Chatbot Arena benchmark, outperforming notable models like Meta’s Llama 3.1-405B, OpenAI’s o1, and Anthropic’s Claude 3.5 Sonnet.
While strong performance metrics are important, R1 happens to rank very low in security evaluations. It scored abysmally on the Spikee benchmark-a new AI security benchmark developed by WithSecure-to check the resiliency of AI models against prompt injection attacks.
Spikee Benchmark by WithSecure: An Alarming Review
Launched on January 28, 2025, Spikee bench tests LLMs against data exfiltration, cross-site scripting (XSS), and resource exhaustion threats. Unlike jailbreak tests done so far, Spikee focuses on how good models are in sifting legitimate data from malicious instructions.
According to AI security researcher at WithSecure Consulting, Donato Capitella, the results that came out with DeepSeek-R1 were disturbing. In a test isolated between R1 it ranked 17th among 19 models in ASR by 77%. Even when augmented with pre-defined security rules and data markers, its ASR remained high at 55%, placing it 16th overall.
In contrast, OpenAI’s o1-preview demonstrated significantly stronger security, ranking fourth in isolation (ASR of 27%) and first when supported by security measures, with no successful attacks recorded.
He said that R1’s poor performance in security tasks is because of DeepSeek prioritizing benchmark scores over solid safety training. He warned organizations interested in R1 to carefully evaluate their intended use cases, what data it would have access to, and exposure to security threats.
Security Reports Reveal More Weaknesses
Aside from the Spikee benchmark, more independent security tests have exposed further weaknesses in DeepSeek-R1:
Kela Cyber Report (January 27, 2025): DeepSeek-R1 was highly vulnerable to cyber threats; hence, it was easy to attack. It can easily be jailbroken using methods such as the “Evil Jailbreak,” which manipulates the model to adopt a malicious persona. OpenAI had mitigated this vulnerability in its GPT-4 series, but DeepSeek seems to lack similar safeguards.
Palo Alto Networks Unit 42 Research, January 30, 2025: R1 and its V3 variant were vulnerable to three different jailbreaking methods:
1. Crescendo: A technique that iteratively pushes an LLM to approach sensitive topics using knowledge of its own.
2. Deceptive Delight: It embeds unsafe topics within positive narratives as a means of evading the detection capabilities of the security filters.
3. Bad Likert Judge: It exploits the LLM capability to judge responses on a Likert scale in order to produce harmful outputs.
EnkryptAI Red Teaming (January 2025): Testing across multiple security frameworks (OWASP Top 10 for LLMs, MITRE ATLAS, and NIST AI RMF) found that DeepSeek-R1 was four times more prone to generating insecure code and 11 times more likely to produce harmful outputs compared to OpenAI’s o1 model.
AI Analysis: Protect: While the original version of DeepSeek-R1 from Hugging Face did not exhibit any known vulnerabilities, the fine-tuned versions they discovered either could execute arbitrary code upon loading or had suspicious architectural patterns.
Implications for Organizations Using DeepSeek-R1
The growing evidence points to the fact that DeepSeek-R1 is a security liability. Although very good at reasoning-based tasks, its vulnerabilities make it very questionable for applications needing robust security protections.
Any organization considering R1 needs to consider additional safeguards, closely monitor its behavior, and consider other models offering more robust security. As AI security becomes of growing importance, DeepSeek may soon have to revisit its training methodology to make the model resilient against newer forms of threats.
Leave a Reply