Beijing has asked Nvidia to explain whether its H20 artificial intelligence chips have backdoors that could allow the United States to position and remotely shut them down. Chinese pundits said similar probes could be extended to other American-made chips.
The Cyberspace Administration of China (CAC) stated on July 31 that it summoned US tech giant Nvidia over security risks related to its H20 AI chip, which had been sold to China.
“Nvidia’s AI chips have been alleged to pose serious security risks, and some US lawmakers have called for advanced chips exported abroad to be equipped with ‘tracking and positioning’ functions,” said the CAC.
The CAC said in a press release that American AI experts have confirmed that the “tracking and positioning” and “remote shutdown” technologies of Nvidia chips have matured. It requested that Nvidia explain and submit relevant proof materials regarding this issue.
On the same day, Nvidia said its chips do not contain backdoors that would allow anyone to access or remotely control them. It said cybersecurity is critically important to the company.
Beijing’s summoning of Nvidia came after Reuters reported on July 29 that Nvidia had placed orders for 300,000 H20 chipsets (worth about US$3.6 billion) with the Taiwan Semiconductor Manufacturing Company (TSMC) a week earlier. It also followed the trade talks between US Treasury Secretary Scott Bessent and Chinese Vice Premier He Lifeng in Sweden on July 28-29.
In April, the US government stopped Nvidia from shipping its H20 products to China. When Republican US Senator Tom Cotton introduced the “Chip Security Act” on May 9, the bill received little to no significant media attention at the time.
The bill requires AI chips to be subject to export regulations and mandates that products containing these chips be equipped with location-tracking systems to aid in detecting diversion, smuggling or other unauthorized use. It received support from bipartisan lawmakers in the House of Representatives.
“As Congress’s chip designer, AI programmer and PhD physicist, I know we have the technical tools to prevent powerful AI technology from getting into the wrong hands,” said Congressman Bill Foster. “With advanced AI chips being smuggled into China and posing a national security risk, Congress must act.”
Following meetings between US and Chinese officials in London on June 9, China agreed to resume shipments of rare earth minerals to the US. In return, the US agreed to allow Chinese firms to use its electronic design automation (EDA) software and resume the shipment of H20 chips and C919 flight engine parts to China.
Slowing Huawei’s growth
Some commentators said the strong demand for H20 from Chinese firms may hurt Huawei Technologies’ Ascend AI chips’ market share.
Wang Xinxi, a columnist specializing in the technology, media and telecommunications (TMT) sector, says in an article that the Ascend 910B has already surpassed H20 in terms of computing power. He says Chinese technology firms still use the H20 only because of its higher bandwidth and software support on the CUDA platform.
“Although the US Congress has not yet passed the Chip Security Act, Nvidia may have already added location-tracking functions in its chips,” he writes. “All Nvidia computing chips have private data areas where the data is encrypted, so it is technically possible to add a backdoor.”
Citing Qihoo 360 Chairperson Zhou Hongyi’s recent comments, Chen claims that malicious code can be implanted in a chip during the wafer manufacturing, packaging and testing processes. He says it’s difficult for Chinese end-users to identify these unsafe products within the global supply chain, which involves numerous suppliers and distributors.
“If there is any security loophole, Chinese firms must stop using H20,” he adds. “In the end, companies that use Chinese AI chips will win.”
“Imagine if such ‘backdoor’ probes were expanded to other major American chip manufacturers in China like Micron, Wall Street investors would quickly sell their semiconductor stocks,” Chen Kai, a Fujian-based writer, says in an article.
“The H20 under probes is a ‘freak’ from the beginning as it is the downgraded version of the H100,” he writes. “The Trump administration thought China would thank the US for relaxing its chip export control, and it would easily obtain the Chinese rare earth. It did not expect Nvidia to face security probes.”
In 2019, the US banned Huawei routers due to concerns about backdoors. The US Department of Commerce added Huawei to its Entity List in May 2019.
Technical challenges
In May, Nvidia’s Chief Executive Jensen Huang said that tracking massive AI servers or accelerators weighing several tons should not be difficult. However, he said, finding the AI chips after they are sold is impossible.
Joseph Hoefer, a Washington, D.C.-based government relations strategist focused on AI, said the intent behind the Chip Security Act is understandable, but its approach creates more problems than it solves.
“First, real-time location tracking of chips is simply not feasible at scale,” Hoefer said. “Attempting to derive meaningful national security insights from hardware geolocation data would require vast infrastructure, reliable international cooperation, and intensive verification protocols. That level of control does not exist in today’s global tech ecosystem.”
Secondly, he said, any system tracking chip locations would become an immediate cybersecurity vulnerability.
Lastly, he said the compliance burden would fall on responsible US chip makers, which would have to spend time and money implementing unproven tracking systems, navigating regulatory ambiguity, and reporting false positives.
Some IT experts have said that, technically, Nvidia can utilize its ecosystem of software and tools, such as the Nvidia Management Library (NVML) and Data Center GPU Manager (DCGM), to identify the locations of its AI chips, each of which has a unique serial number.
It would be similar to what Google does to track and manage its AI chips. Google has centralized inventory and asset management systems that track every component, including custom chips such as Tensor Processing Units (TPUs), from manufacturing to deployment.
Google’s datacenter orchestration and resource management (Borg) can track the real-time performance of every chip.
Others argue that even if a chip management software can determine the location of a suspicious AI chip cluster, it will be too late, as it means Chinese firms have already obtained and deployed the chips.
Alphabet’s Google has already started tracking the location of its in-house AI chips and others in its vast network of data centers for security purposes, Reuters reported on May 6, citing two sources familiar with the matter.
Read: Chinese worry Nvidia H20 chips are poisoned wine for AI industry