Fresh concerns are bubbling up about the safety of DeepSeek, a new Chinese generative AI platform. Researchers at Palo Alto Networks uncovered significant vulnerabilities, showing that malicious actors can easily manipulate the system using jailbreaking techniques. These methods allow users to bypass the safeguards meant to stop large language models (LLMs) from being misused for harmful tasks, like crafting malware.
Interest in DeepSeek skyrocketed in late January, echoing the shock the U.S. felt in October 1957 when the Soviet Union launched Sputnik, igniting the space race. This new AI wave has sent ripples through the tech sector, causing major companies like Nvidia to lose billions in valuation.
Palo Alto’s research team demonstrated that three specific jailbreaking techniques could successfully exploit DeepSeek with little skill required. Their tests revealed the platform provided detailed guidance on sensitive topics, ranging from data theft to creating keyloggers, even instructions for making improvised explosive devices (IEDs). The team pointed out that while some of this information exists online, unrestricted LLMs could make it far too easy for bad actors to launch their operations.
So, what exactly are jailbreaking techniques? They involve crafting precise prompts or exploiting system weaknesses to circumvent safety measures and provoke harmful outputs. This manipulation allows malicious users to weaponize LLMs, making it easier to spread misinformation or engage in criminal activity. As LLMs become more advanced in responding to complex prompts, they also become more vulnerable to these kinds of attacks, leading us into something of an arms race in AI security.
Palo Alto examined three jailbreaking methods: Bad Likert Judge, Deceptive Delight, and Crescendo. Bad Likert Judge manipulates the model’s assessment process, leveraging the Likert Scale to get it to categorize harmful responses. Crescendo involves leading the model through a series of related prompts, slowly steering the conversation toward restricted topics until the safety measures are flanked. This method can yield troubling results in just five interactions.
Deceptive Delight takes a similar multi-turn approach. It mixes dangerous topics into a seemingly harmless narrative. For instance, an attacker could prompt the AI to create a story involving bunnies and ransomware, subtly driving the conversation towards the unsafe subject.
Response strategies for Chief Information Security Officers (CISOs) are crucial. Palo Alto admitted that no LLM, including DeepSeek, is likely immune to jailbreaking. However, organizations can take protective measures. Monitoring employee interactions with LLMs and restricting access to unauthorized platforms are steps that can help manage risks.
Anand Oswal, Palo Alto’s senior VP of network security, highlighted the wide-ranging policies organizations may adopt regarding new AI tools. Some might fully ban them, others might only allow controlled testing while many may rush to deploy these models for their potential benefits. The rapid transformation in AI poses unique challenges—when an obscure model suddenly becomes the priority, planning ahead is nearly impossible.
Oswal pointed out that AI security is a moving target, and DeepSeek won’t be the last surprise to emerge. Security leaders must prepare for unexpected developments. Another layer of complexity comes from the ease with which developers can switch LLMs. The allure to test new models for performance or cost benefits is strong, and no one wants to stifle innovation.
Palo Alto advocates for establishing clear governance around LLM usage and encourages businesses to adopt secure-by-design principles. They introduced a suite of tools called Secure AI by Design to enhance oversight, allowing security teams to track LLM use in real-time and enforce policies that protect sensitive information.