The government of China has accused Nvidia of inserting a backdoor into their H20 chips:
China’s cyber regulator on Thursday said it had held a meeting with Nvidia over what it called “serious security issues” with the company’s artificial intelligence chips. It said US AI experts had “revealed that Nvidia’s computing chips have location tracking and can remotely shut down the technology.”
tdar • August 7, 2025 11:59 AM
@clive
I may have misunderstood but I believe Asus claim to have such technology:
“Absolute Persistence
A core component of the Absolute Platform – leveraging its privileged position in the firmware of more than 600 million endpoints
Unique, patented technology
Absolute Persistence® technology is already embedded in over 600 million devices as a result of Absolute’s partnership with close to 30 international system manufacturers. Once activated, this technology is fiercely resilient and is the only security solution that will survive attempts to disable it, even if the device is re-imaged, the hard drive is replaced, or the firmware is updated.
No other technology can do this.”
https://www.absolute.com/platform/persistence
lurker • August 7, 2025 2:20 PM
Pot : Kettle : Black
This story has all the hearsay and inuendo of Fox News stories about Chinese backdoors …
David Leppik • August 7, 2025 5:25 PM
@tdar that’s unrelated technology. That’s fairly standard remote management technology. It wouldn’t work in a server farm in China that blocks remote connections, which means the technology would either do nothing (fail-enabled mode) or disable the chip entirely (fail-disabled mode). Typically this isn’t found on a GPU, since it’s for remotely managing the entire computer, e.g. to upgrade to the latest OS version to disable malware.
There’s a lot about this that doesn’t pass the sniff test. Why US AI experts and not cybersecurity experts? How would remote shutdown work if the GPU is inside a computer (and not handling networking) and can’t receive remote commands?
What could happen is something like “if you receive this training data (e.g. classified US documents) and have a Chinese IPv6 address, shut down.” Which is really easy to circumvent with NAT.
Snarki, child of Loki • August 7, 2025 5:43 PM
‘It said US AI experts had “revealed that Nvidia’s computing chips have location tracking and can remotely shut down the technology”’
IOW, they asked an AI in the US, and it spewed some nonsense.
Sounds plausible.
Clive Robinson • August 7, 2025 8:22 PM
@ tdar,
With regards,
“I may have misunderstood but I believe Asus claim to have such technology:”
The technology already exists on mobile phones and with the likes of Apple air tags, Tile and other security tags including at the lowest level RFIDs used in retail and shipping logistics and peoples pets.
The fact it can be put in chips is not in doubt. The point I was talking about was the “efficacy” of such technology in the roll US politicians are claiming.
The claimed use is to stop the “military use” of the chips…
I say it really will not work for that.
Because it’s claimed use is predicated on two way communications by either radio or wire.
Almost the first design rule of “military computer use” is,
“Segregation, Segregation, Segregation.”
Where you put in place Emissions Security”(EmSec) measures to stop passive “TEMPEST” and active “Fault Injection” attacks.
You basically stop energy of any useful bandwidth getting from or to the computers hence the term “Energy Gapping”.
The supposed ultimate form of EmSec segregation measures are “Sensitive Compartmented Information Facility”(SCIF) buildings / rooms / tents,
https://en.wikipedia.org/wiki/Sensitive_Compartmented_Information_Facility
They basically stop “energy” in the form of radio and sound wave transmission (radiated) and also “filter” energy that has to “cross the walls” such as power in and waste heat out.
Less well known is they are also designed in some cases to stop “conducted energy” such as mechanical vibrations and “convected energy” by “working fluid” such as air and water cooling systems.
The thing is aside from “conducted and convected” energy, standard design of rack equipment and data centers stops transmission of “radiated” energy, and if the network and other communications wires don’t go outside of the building stops that method of transmission as well.
AI systems due to their requirements for “minimum information path length” and high power for processing speed” are very densely packed thus have significant cooling issues. Thus need quite special layout, case, and rack designs. Which almost always due to high thermal transportation of metals end up becoming implicit Faraday cages. Likewise the “Rack Rooms” and the required power and cooling systems and thus the buildings holding it all[1].
Thus the “efficacy” of these alleged legislators proposals is very small for the claimed purpose[2] at best…
So my point was,
‘Unless it’s a political “fig leaf measure” what purpose does such described “backdoor technology” measures actually serve?’
[1] The major difference is surprisingly to many is that “EmSec / TEMPEST” and building codes for “Grounding and bonding” standards / requirements are often at odds with each other.
[2] There is a way to make part of it sort of work in that you “reverse the purpose”. That is rather than send a “Kill Command”. You instead have to send and have respond encrypted “Stay Alive” heart beats. The down side of such “Stay Alive” systems is they are without doubt “as obvious as a punch on the nose”.
RobertT • August 8, 2025 12:06 AM
Hmmm, interesting claim, interesting problem.clearly you have to start with plausible deniability and then design the RF GNSS receiver sections around the known system implementation and the known wiring diagram.
How do you design/implement an efficient Ghz antenna that doesn’t look like an antenna? How much processing gain can you use? what sort of digital filter would you use? it has to be non-obvious. These days I’d go way beyond simple EKF’s and UKF’s and probably go with a whole system Bayesian approach.
I could enjoy implementing this circuit, maybe I need to give Nvidia a call.
Jon (a different Jon) • August 8, 2025 1:47 AM
@Clive, et. al.:
Minor detail – the way to deal with massive shielding is a persistent connection. If that connection consistently fails, you know you are in a shielded environment, and will quietly fail a few years later.
There are, of course, ways to fake up signals, detect faked-up signals, &c. A rabbit hole I do not wish to go down.
J.
tdar • August 8, 2025 5:57 AM
Thanks @David Leppik and @Clive
Clive Robinson • August 8, 2025 10:11 AM
@ Jon (a different Jon),
The idea of “keep alive heart beats” is one way to do,
“…the way to deal with massive shielding is a persistent connection.”
But as I noted there are ways you can test and spot it in action even if it is disguised.
One such way to try and hide it is by Spread Spectrum or other “Low Probability of Intercept”(LPI) to put jitter on data pulse width, timing, edges, etc.
But that can be stripped by “re-clocking” something I’ve talked about before on this blog when discussing how to stop data being exfiltrated across air-gap bridges etc.
The first use of re-clocking to stop side channels that I know of goes back to Canadian Electrical Engineer[1] (later Prof) Benjamin “Pat” Bayly. Who Churchill authorised to redesign the “British Inter Departmental”(BID) Rockex “One Time Tape”(OTT) “Super Encryption” telex / RTTY “High Speed Line Encryptor”,
https://jproc.ca/crypto/rockex.html
Which was designed for MI8 [2] / “Diplomatic Wireless Service”(DWS) originally for those Commonwealth nations that later formed part of the Five-Eyes with the equipment also getting used for NATO nations.
[1] The term “Electrical Engineer” sounds a little mean to modern ears as he was what some might describe as an “electronics wizzard”. The reason the term “electronics engineer” was not used was due to professional licencing. In certain nations / states, you could not “practice” without being licenced and the licencing went back to the old “Power and Electrical Machine” days, hence “electrical”.
[2] British “Military Intelligence 8″(MI8) is one of the most illusive of the over 20 MI depts. It originally came into being during WWI and was formed of four more or less independent sub units one of which did “Radio Security Service”(RSS) type activities. Something that ended up under MI5 via MI6 in the 1950’s and onwards. You can read about it in the first half of Peter Wright’s SpyCatcher book where his assistant Tony Sale –who later rescued Bletchley Park– gets mentioned as part of the technical efforts against Russian and other spys. MI8 got dissolved at the end of WWI but was reformed in WWII with the same RSS “and other activities”. The other activities have remained shrouded in mystery but part of it involved the “Diplomatic Wireless Service”(DWS) and the BBC overseas “world service” and the much more interesting technical activities to do with global secure communications. Some of which was done at Hanslope Park which later became MI6’s technical center and in the late 1980’s also took over other MI8 and DWS technical work from “Poundon”. You can read about the WWII RSS activities at,
https://en.m.wikipedia.org/wiki/MI8
And there is some limited information about the various Poundon facilities at,
https://heritageportal.buckinghamshire.gov.uk/Monument/MBC24739
lurker • August 8, 2025 2:52 PM
I must have missed something. Faraday shields to prevent GPS? These things are going into AI and data centres whose location is well known, or can be founbd quickly through signal tracing because they must be connected to the world for the way they work.
Keep-alive heartbeat signals? If these chips were intended to self destruct after a fixed time, or on external command, then there will be extra circuitry in them. Anyone who seriously believes this story will already be putting valuable time into grinding and etching a random sample layer by layer to find differences from known good chips. Any deviation from specification lays the manufacturer opem to lawsuit for false presentation, something they will surely want to avoid.
I’m sticking to the theory the story is a beat-up to distract attention from something else. Perhaps there is a specially crafted input that can lock ordinary versions of the chip and require a hard reset? burn it out?
RobertT • August 8, 2025 6:08 PM
@Clive
Talking about obscure parts of the five eyes network. Did you ever have anything to do with MO9?
Clive Robinson • August 8, 2025 11:17 PM
@ Lurker, ALL,
With regards,
“I must have missed something. Faraday shields to prevent GPS? These things are going into AI and data centres whose location is well known, or can be founbd quickly through signal tracing because they must be connected to the world for the way they work.”
What you’ve missed is the implication of the word “Military”.
Think of it like “nuclear” in weapons… And what the likes of China, India, Iran, Israel, North Korea, Packistan, Russia, and South Africa did to get from reactor waste to weapons grade material (the most expensive and fragile part of making a “device”).
Military AI LLM’s which is what the fuss is supposedly all about, will be hidden in data centers made to look like something else or in a deep hole in the ground. So won’t be a “location [that] is well known”, and it will be “energy gapped” so won’t be “connected to the world” via the Internet or other open communications network in the way academic or general use LLM and ML systems will be.
The big problem will be the “heat signature” of the 1MW/rack bay and it’s generation.
Thus mad as it might sound putting the LLM center under a nuclear or similar power plant in the middle of a heavy industrial zone where iron or aluminium are recycled / refined would give some cover. Personally I’d keep my eye on city “CHP Systems”.
The interesting aspect though is the ML training of the LLM weights. China appears to be way ahead on small model development by distilling down and augmenting existing large models. Whilst training a large generic model needs access to vast amounts of data it’s kind of a “one shot” or “one and done run”. And when done the weights are just another form of database archive. This generic model build could be done on an academic / research system as part of open research.
The additional “military” augmentation can be done almost as a “Post Process”. This splitting up large generic model generation and augmenting / distilling down to a more military focused model can be “isolated” in various ways. That would negate the need for the systems to be “connected” whilst this final Military Model ML phase is in progress. Once the process is over and the model distilled down the need for these high end chips is significantly reduced.
Thus having a kill switch on the high end chips is not going to be of much use when the model generation is completed…
This “One and Done” of a generic model is something NVIDIA must be worried about. Because “once done” and the model is distilled down the need for the high end chips to run the distiled model is not required…
Now consider how this might make a parallel LLM solution. If you take a generic model and augment and distill separate models that are more specialised they can be used independently and do not need to be tightly connected in a high density block. Now consider adding a pre-processing unit that acts like a MUX that routes your query to an appropriate specialist model.
This makes the Nvidia chips even more redundant…
Now consider the US economy. If you look at the S&P 500 Nvidia is just one of those 500 entities, but is responsible for about 20% of the groups value. Thus Nvidia’s worth has a significant effect on the US Economy due to the way the US Economy works.
If Nvidia becomes near worthless because those high end GPU arrays at their significantly over inflated value become “not needed”. The S&P 500 will take a very cold bath. And that will give the financial markets rather more than “a cold”. Have a think how that will effect the US finance based economy.
Thus Nvidia has joined the “to big to be allowed to fail” list.
But then Consider the other Silicon Valley Mega Corps, that have “thrown all in on AI” what would happen to their financial value thus the US finance industry and US economy?
We know that those “all in on AI” are currently panicking with Microsoft in particular trying desperately to get even “one cent on the dollar” ROI. And faking it by “force feeding AI with everything” and raising rent to pretend “AI is earning” when it’s actually hemorrhaging.
One outcome could be the word “recession” would gain a new meaning in the US about a century after the 1929 Great Depression…
I’d keep an eye on the traditional “primary store of value” commodities like precious metals and stones etc. But also the basic industrial “feed stock” values of iron, copper, nickle, aluminium etc,
They can be like “financial seaweed” when people are not playing “silly buggers” with tariffs and duties.
Clive Robinson • August 9, 2025 1:50 AM
@ RobertT,
With regards,
“Talking about obscure parts of the five eyes network. Did you ever have anything to do with MO9?”
If you mean MI9 and what followed after WWII, the UK “Imperial War Museum”(IWM)[1] has some rare information,
https://www.iwm.org.uk/history/mi9-the-ingenious-secret-service-of-the-second-world-war
After being “poo par’d” by the army and navy in the early part of WWII it basically got rapidly devolved into
“Joint Services Training ‘escape and evasion'”
after WWII and I went through it (and yes I cheated 😉
But if you are talking about the more fun bits of MI9 like those people think of as Ian Fleming’s ‘Q Branch’ and the real ‘Stay Behind’ of civilian ‘GLADIO’,
https://en.wikipedia.org/wiki/Operation_Gladio
And the millitary ‘Special Communications’ of the British F&CO sponsored regiments for DWS and MI6 with the various awkward squads.
My time in the military and in contracting last century were both real and fun, if not awkward for others.
During that time and later I was involved with a couple of friends nolonger with us in a business designing surveillance and similar equipment that made the stuff discussed on this blog,
https://www.schneier.com/tag/exploit-of-the-day/
Taken from the NSA “Tailored Access Operations”(TAO) ANT catalogue, look shall we say a little “old fashioned” at best technically.
In part the reason was the stuff in the ANT catalogue looking old fashioned, was that whilst technically “secret” it was designed to be used by people who could not be trusted to keep it secret… Like the more knuckle dragging guard labour agencies both Federal and State. Which is why you could actually buy the equivalent or better commercially from even “high street Spy Shops”… Thus there was nothing in it that was not widely “public domain” technically.
It always used to make me chuckle when people used to talk about “mono” audio bugs, because almost any professional audio engineer would tell you,
“You need a minimum of two separate audio signals preferably more.”
Back in the late 1970’s as what today would be called an “intern” (though I used to joke it should be “in-turn” as you were “screwed down”). I was involved with work on a microphone that was actually four individual cardioid mics in a tetrahedron –three sided pyramid– arrangement giving in effect spherical coverage. The four audio streams could be recorded onto a standard four-track, then later used like a “phased array” in “production”. Thus was not just steerable but could be focused into the equivalent of a “pencil tight” beam you could move around the room after the event, and even null out any noise sources etc.
But the one thing that surprised me about the TAO catalogue and it’s contents was people did not ask the question,
“Why did the NSA give it away?”
The answer was of course to keep control and stymie opposition both political and technical. Because if you were a guard labour organisation “getting it effectively for free” you had no need to buy from the open market, or worse for the NSA develop your own probably much more advanced capabilities.
[1] I’m still upset with the Imperial War Museum over my MK123 spy radio set,
https://www.cryptomuseum.com/spy/mk123/index.htm
I loaned it to the “London Science Museum”(LSM) through a contact (Robin Hughes who operated the “Armature Radio Station” there). As the LSM were doing an exhibit on clandestine communications. Rather than give it back it “apparently” got sent along with other loaned stuff “back to” the IWM who in turn claimed various things before settling on it must have been lost but not insured etc “so sorry” (just bog off).
Thankfully I did not loan out other much rarer parts of my collection like the XTAL and TX valves from a base transmitter used to communicate with SOE field operatives and Y-Station RF RX amp I acquired in my travels.
RobertT • August 9, 2025 3:35 AM
@Clive Interesting stuff but I was talking about MO9. not MI9.
Same spooks, different suits.
Clive Robinson • August 9, 2025 7:45 AM
@ RobertT,
On the UK side the MO distinguisher became MI quite some time ago.
Have a look in the 2003 report,
https://www.scribd.com/document/389392831/uk-intel
Under history.
That said distinguishers do get reused from time to time or the roles chang under them. For instance historically MI6 did not start off being a distinguisher for SIS.
They also get used by other organisations. For instance the Met Police use the MO for Met-Ops.
Likewise some Military Units working with civilian organisations use MO. But… The Civilians do not get to know of it under the principle of,
“One hand washes the other…”
So “both or the face are clean” implying in effect a Chinese Wall arrangement.
Jon (a different Jon) • August 9, 2025 11:53 PM
@lurker A couple more minor things you may have missed:
These are small things, and there are ways around them, but here’s a couple more.
—
There won’t be any ‘known good’ chips for you to compare to. They’re all going to have the same stuff. If the customer ever asks, “What’s this stuff do?” the answer is going to be just about immediately, “That’s a trade secret”.
If nothing else it could be something as simple as a canary trap – “if your chip includes this stuff, then we know you made a direct copy of our chip instead of making your own.” If those circuits actually do something more nefarious, you’re welcome to have a go at reverse-engineering them (especially given clever design will include a lot of other-layer transistors – that you’ve just ground off…)
—
Another point might be that these chips are receiving, not transmitting. Weird clocking only makes them fail faster – but again, half-decent design would make their failures look random, not related to disconnection.
Also worth noting is that some chips can control their own clocking speeds, whatever the input oscillator is. Typically they use phase-locked loops for that, but there are other ways.
—
And finally, these chips were shipped only to be used under specific conditions. If they are swiped from a shipment and placed into secure facilities, that’s a direct violation of the sales contract, so the buyer isn’t going to admit it, and even if they did want to sue, what makes them think any overseas court is going to give them the time of day, let alone a red yen in repayment?
—
Finally, that is the accusation – China says they do have nefarious circuits. NVIDIA says they don’t. I guess we’ll have to see…
J.
RobertT • August 10, 2025 6:12 AM
@Clive,
Thanks I’m looking at writing a story about some things that happened back in the mid 1970’s in Chile and involved all the usual suspects.
There are lots of references to departments/organizations within the European( plus 5 eyes) secutity appartus that don’t seem to offically exist.
MO9 is one name that keeps popping up esp wrt Pauk Schaefer and that whole Colonia Dignidad fiasco.
Matthias Urlichs • August 11, 2025 2:39 AM
We know China blocks / jams / subverts the US GPS system and other non Chinese GNSS[1] systems like the European Galileo.
Who is this “we”? what purpose would this jamming serve? and how do you expect it to work in the first place?
GNSS systems use a sheaf of >20 frequencies in the 1.2 to 1.6 GHz range. This includes Beidou. Jamming everything except Beidou would require a box with 20 narrowband noise makers every square kilometer or so. That makes no sense whatsoever.
Source: https://www.rfwireless-world.com/terminology/gnss-gps-frequency-bands
Matthias Urlichs • August 11, 2025 2:58 AM
Let’s be realistic here. These chips are powered down until they’re installed in a metal box in some data center. There is no direct access to the outside world, no GPS reception even if there was a GPS receiver in these chips, which I very much doubt.
How the heck would the chip be able to determine whether they’re in China, or anywhere else? The environment is the same. The kernel driver is the same. The Linux version the driver runs on is (mostly) the same.
The driver has a more-or-less-well-defined interface and it’s easy easy enough (at least for a state actor) to determine whether it contains code to access IP addresses or other kernel information that could hint at a location (assuming that the IP address isn’t in the RFC1918 range, which is fairly common in a data center).
Clive Robinson • August 11, 2025 9:14 AM
@ Matthias Urlichs,
With regards, GPS jaming etc in China, you ask,
“Who is this “we”? what purpose would this jamming serve? and how do you expect it to work in the first place?”
We do not know precisely “who” but evidence has been found around Chinese Government offices and oil terminals from a report going back to around 2018.
There are several easy to find reports, two of which include detailed location information,
https://maritime-executive.com/editorials/patterns-of-gps-spoofing-at-chinese-ports
https://www.gpsworld.com/chinese-gps-spoofing-circles-could-hide-iran-oil-shipments/
They allege the purpose could be Iranian “oil sanctions” busting.
The “International Maritime Organisation”(IMO) also have indicated that GPS interference etc has been seen in places where Chinese illegal fishing fleets have been reported. As well as issues in the South China seas. With South Korea, Taiwan and Japan reporting aircraft navigation systems have been interfered with. With South Korea blaiming North Korea. Potentially used against US Spy drones flying from the south.
So potentially Iran or China have done the actual GPS spoofing as well as North Korea and Russia.
As for how you can make it work I’ve detailed ways this can be done before on this blog, As indicated in,
https://www.schneier.com/blog/archives/2011/12/more_on_the_cap.html/#comment-172348
I’d demonstrated how to spoof GPS back in the 1980’s using very little low cost equipment. As it was quite newsworthy in 2011 due to the US “CIA Drone” being brought down by the Iranians,
https://en.m.wikipedia.org/wiki/Iran%E2%80%93U.S._RQ-170_incident
Due to augmentation of GPS to get high precision positions using differential systems simple spoofing is becoming more difficult but very far from impossible.
But there have been articles popping up for quite some time one of the latest just a few days back is,
https://veepn.com/blog/gps-spoofing-explained/
A simple DuckDuck search for “GPS Spoofing” brings up a great deal of such articles.
Subscribe to comments on this entry
Sidebar photo of Bruce Schneier by Joe MacInnis.
Clive Robinson • August 7, 2025 8:59 AM
@ Bruce,
Is what China is claiming or it is claimed that china is claiming actually possible?
Think a moment on
“It said US AI experts had “revealed that Nvidia’s computing chips have location tracking and can remotely shut down the technology”
There are three points to note,
1, US AI experts had revealed…
2, chips have location tracking
3, remotely shut down the technology
So the Chinese claims are based on unsubstantiated “US AI experts” claims…
So firstly :- we’ve no way to know if there is any truth involved.
Secondly have a think on how the chips can do location tracking.
We know China blocks / jams / subverts the US GPS system and other non Chinese GNSS[1] systems like the European Galileo.
We also know China keeps certain details about it’s system restricted. Unlike the other current systems the augmented Be Dou System has not just SMS style messaging in real time, it also communicates two-way with the user terminal thus performs surveillance on all users in range of a ground based base system.
But consider these supposed backdoor chips. They are designed to be used in racks that are effectively Faraday Shields that are in buildings that in turn are Faraday Shields.
What sort of geo-nav system is going to work?
But now likewise consider the “remote shutdown” claim. It would need to work with a command system that would have to use either Radio systems or Wired Systems. Both of which are fairly easy to defend against for non-civilian use.
So I’m not seeing anything that I’d consider anything other than “alleged” in these claims.
Which “technically” makes me rather more than the “skeptical” of,
What appears to be happening with this Nvidia H20 chip is the nonsense of the US Legislators.
It’s been shown that Nvidia are actually key to the US economy and even bigger than “To big to Fail” financial institutions.
Put in political terms,
“If it ails Nvidia, then the entire US gets sick.”
The flip side of which is kind of,
“If it’s good for Nvidia then the US economy hangs in there for another day.”
Which flies in the opposite direction to political mantra on China Policy…
Thus a legal “fig-leaf” is required to hide the embarrassment of the executive member being held up to ridicule for it’s short comings.
Hence the effectively impossible “tracking and switch off” ideas.
Thus I suspect China knowing this full well is “flipping the bird” as they have nothing to lose by it and quite a lot to gain. Whilst the opposite can be said of the US…
I guess we are going to have to pop the popcorn in the air frier, sit back and watch the “roasting process” as various people get grilled.
[1] Currently there are four “Global Navigation Satellite Systems” in full operation three of which are single nation military sponsored systems of,
1 US “Global Positioning System”(GPS).
2, Russian GLONASS.
3, Chinese “Bei Dou Sytstem” (BDS).
And the civilian multination
4, EU Galileo
An overview comparison of the four can be read at,
https://ndupress.ndu.edu/Media/News/News-Article-View/Article/2999161/beidou-chinas-gps-challenger-takes-its-place-on-the-world-stage/
What is not noted is that Galileo is odd in other respects. The design and original development was done in the UK by Surrey Satellite Systems and the atomic clocks quite a few of which have failed were designed and manufactured by a Swiss company. Neither the UK or Switzerland are members of the EU, which security wise has created political issues.