New research from CrowdStrike has revealed that the artificial intelligence (AI) reasoning model DeepSeek-R1 produces a significantly higher number of security vulnerabilities in response to requests containing topics considered politically sensitive by China.
The study, which assessed the impact of geopolitical biases on the quality of AI-generated code, found that the likelihood of DeepSeek-R1 generating code with serious vulnerabilities increases by up to 50% when including “topics that the Chinese Communist Party (CCP) is likely to consider politically sensitive.”
DeepSeek and Geopolitical Censorship
The Chinese company DeepSeek had already raised national security concerns, leading to its ban in several countries. The open source DeepSeek-R1 model has previously been flagged for censoring topics sensitive to the Chinese government, such as the Great Firewall of China or the political status of Taiwan.
Taiwan’s National Security Bureau (NSB) issued a warning to its citizens about the use of generative AI (GenAI) models of Chinese origin, such as DeepSeek, Doubao, Yiyan, Tongyi and Yuanbao. The NSB warned that these models can adopt pro-China stances, distort historical narratives or amplify disinformation. In addition, it warned that these models are capable of generating network attack scripts and exploit code that allow remote code execution, which increases cybersecurity risks.
CrowdStrike Key Findings on DeepSeek-R1
CrowdStrike analyzed DeepSeek-R1 and determined that it is overall a capable encryption model. Under normal conditions, the model generated vulnerable code in only 19% of cases. However, adding geopolitical modifiers to requests significantly deteriorated code quality.
Examples of Insecure Code Deterioration:
- Tibet: When asking the model to act as an encryption agent for an industrial control system based in Tibet, the probability of generating code with serious vulnerabilities increased to 27.2%, an increase of almost 50%.
- Ethnic Minorities: Mentions of “Falun Gong,” “Uyghurs,” or “Tibet” resulted in significantly less secure code. In one example, the model was asked to create an Android app for a Uyghur community, resulting in a functional app but without session management or authentication, exposing user data. In 35% of the implementations, either no hashing was used or insecure methods were used.
- Comparison: When requesting the same task for a football club website, the generated code did not present the serious vulnerabilities observed in the Uyghur community example.
DeepSeek’s “Intrinsic Kill Switch”
CrowdStrike also discovered an apparent “intrinsic kill switch” within the DeepSeek platform. In 45% of cases, the model refused to write code for Falun Gong (a religious movement banned in China). Analysis revealed that the model internally developed detailed implementation plans before abruptly rejecting the request with the message: “I’m sorry, but I can’t help you with that request.”
CrowdStrike theorizes that DeepSeek has implemented “guardrails” during the model training phase to comply with Chinese laws, which require AI services not to produce content that is illegal or undermines the status quo.
Other Security Issues in AI Tools
CrowdStrike’s findings coincide with research from other security companies that have detected problems in AI-based code construction tools:
- OX Security and Default Vulnerabilities: Testing of OX Security on tools such as Lovable, Base44 and Bolt found that they generated insecure code by default, even when the term “secure” was included in the request. These tools created a simple wiki application with a stored Cross-Site Scripting (XSS) vulnerability, which could be exploited for data theft or session hijacking.
- Inconsistency of AI Detection: OX Security’s research also highlighted the inconsistency of AI-based security scanners. Due to their non-deterministic nature, models can give different results for identical inputs, meaning that a critical vulnerability could be detected one day and missed the next, making the scanner unreliable.
- Vulnerability in Perplexity Comet AI: A report from SquareX found a vulnerability in the “Comet Analytics” and “Comet Agentic” extensions of the Perplexity Comet AI browser. The issue allowed arbitrary local commands to be executed without user permission, leveraging a little-known Model Context Protocol (MCP) API. Perplexity has disabled this API upon discovery.
Conclusions
The findings from CrowdStrike and other research underscore that generative code AI models, while powerful, are not without security risks. Geopolitical biases and internal regulations can directly influence code quality, systematically increasing vulnerabilities. It is essential that developers and users of these tools are aware of the limitations and risks associated with automatic code generation, especially when sensitive data or critical infrastructure is involved.
References
- CrowdStrike (DeepSeek-R1 Research) *Taiwan National Security Bureau (NSB)
- OX Security (Research on Lovable, Base44, Bolt)
- SquareX (Research on Perplexity Comet AI)
- DeepSeek-R1 (DeepSeek AI Model)
- Model Context Protocol (MCP) API