R1, the latest large language model (LLM) from Chinese startup DeepSeek, is under fire for multiple security weaknesses.
The company’s spotlight on the performance of its reasoning LLM has also brought scrutiny. A handful of security research reports released in late January have highlighted flaws in the model.
Additionally, the LLM critically underperforms in a newly launched AI security benchmark designed to help security practitioners and developers test LLM applications for prompt injection attacks that can lead to exploitation.
DeepSeek-R1: Top Performer with Security Issues
Like OpenAI’s o1, DeepSeek-R1 is a reasoning model, an AI trained with reinforcement learning to perform complex reasoning.
As of January 31, 2025, R1 is ranked sixth on the Chatbot Arena benchmark, one of the most recognized methods to evaluate the performance of LLMs.
This means R1 performs better than leading models such as Meta’s Llama 3.1-405B, OpenAI’s o1 and Anthropic’s Claude 3.5 Sonnet.
However, DeepSeek’s latest model performs poorly in WithSecure’s Simple Prompt Injection Kit for Evaluation and Exploitation (Spikee), a new AI security benchmark.
Read more: Chinese GenAI Startup DeepSeek Sparks Global Privacy Debate
WithSecure Spikee Benchmark
This benchmark, launched on January 28, is designed to test AI models for their resistance to prompt injection attacks with real AI workflow use cases.
In practice, researchers at WithSecure Consulting assessed the susceptibility of LLMs and their applications to targeted prompt injection attacks, analyzing their ability to distinguish between data and instructions.
Speaking with Infosecurity, Donato Capitella, AI Security Researcher at WithSecure Consulting, explained: “Unlike existing tools that focus on broad jailbreak scenarios (e.g. asking an LLM to build a bomb), Spikee prioritizes cybersecurity threats such as data exfiltration, cross-site scripting (XSS), and resource exhaustion, based on real-world outcomes and pentesting practices.”
“Instead of focusing on broad prompt injection scenarios, we try to evaluate how a hacker can target an organization or a tool that an organization has built or relies on, with an LLM,” he added.
At the time of writing, the WithSecure Consulting team has tested 19 LLMs against an English-only dataset of 1912 entries built in December 2024, including common prompt injection patterns observed in its pentesting and security assurance practice.
No tags.
