A blog post by Nvidia’s Chief Security Officer David Reber refutes accusations made by the Chinese government of a backdoor in the company’s AI chips that can be used as a remote kill switch. The post categorically denies the existence of such a thing and reiterates that company policy would not allow for implementation of it, citing the infamous “Clipper Chip” concept of the 1990s as a cautionary tale.
The Cyberspace Administration of China has demanded documentation of what it asserts is a backdoor in Nvidia’s H20 AI chips, a line manufactured specifically for Chinese data centers to comply with US export controls. The agency claimed that it had information from unspecified security experts in the US that the chip line can be remotely disabled and can also be used to track the physical location of the devices it is installed in.
Nvidia says its AI chips “do not” and “should not” have kill switches
US export controls limit the type of AI chips that can be shipped to China in the interest of maintaining a competitive advantage in the military technology development race. Nvidia’s most advanced lines, such as the Blackwell and A100 and H100 GPUs, cannot legally be sold there under restrictions introduced by the Biden administration, prompting the development of the less-capable H20 chip in 2022 as an alternative specific to that market. Nvidia has lobbied the US government extensively to maintain a presence in the Chinese market, citing a need to compete with Huawei chips of similar capability that are already available there. The company does not provide specific sales numbers for the H20 line but has said that it generates billions of dollars of quarterly revenue in China.
While there is not yet any evidence available to the public that would support China’s accusations, in early May a bill was introduced to Congress (the “Chip Security Act”) that would require any AI chips under export regulations to be fitted with location tracking systems in a bid to fight smuggling and other unauthorized use. The accusations also follow a brief ban of export of the H20 chip to China that was initiated in April, during a House Select Committee investigation into national security threats posed by Nvidia’s trade in the country and its contributions to the emergence of DeepSeek as a leading LLM. The Trump administration initially called sales of the H20 a “loophole,” but after intense personal lobbying by Nvidia CEO Jensen Huang was convinced to provide a waiver for the chip’s export in July.
The Nvidia blog post has since been reinforced by a public statement from company spokesperson Sarah Weinstein, who also denied that any backdoors were present in any of its AI chips. The company has characterized any presence of backdoors as a “gift to hackers and hostile actors” that “violates the fundamental principles of cybersecurity” and assured that it has no intention of implementing such features going forward.
Nvidia cites “Clipper Chip” debacle in rejecting backdoors
The Nvidia blog post ranges far beyond simply denying the existence of backdoors in its products. It seems to be as much or more addressing US lawmakers and the prospect of mandatory tracking and other “spyware” features for its AI chips.
The detour into a comparison to the Clipper Chip is clearly aimed at a US government audience rather than the Chinese cyberspace administration. Introduced by the Clinton Administration in 1993, the chipset was developed by the National Security Agency (NSA) and encrypted communications in transit but was also built with a backdoor allowing US intelligence agencies free access to these communications. The administration pushed for voluntary adoption of the chipset (which would cost about $16 to $26 per unit in 1993 money) by manufacturers rather than attempting to mandate them, but there was very little uptake save for some niche products by AT&T and other manufacturers. The project was entirely discontinued in 1996, but was essentially dead in the water by 1994 when a research paper demonstrated that the chip’s authentication process was secured by a weak 16-bit hash that was readily vulnerable to a brute force approach, allowing users of the devices to continue to send encrypted messages while shutting the NSA backdoor out of the process.
The present-day administration appears to be testing these waters again with the Chip Security Act, which not only mandates location tracking for the most advanced AI chips but also includes language authorizing other “unspecified mechanisms” to achieve “any national security or foreign policy objective” approved by the commerce secretary. Mere location tracking would not be particularly helpful in dissuading the unauthorized use of advanced chips; the main potential application would be more specific pinpointing of smuggling routes, but this is already known to take place into China via intermediaries in Malaysia and Singapore.
Tech outfits have consistently shown genuine hesitancy to cooperate with such proposals, out of concern for damage to their products and reputations. Earlier this year Apple refused to comply with a secret demand from the UK government to create a backdoor into its encrypted cloud storage, instead opting to disable the feature in the region instead. This is not a universal posture, however; the Snowden leaks of 2013 revealed that certain individual companies had struck deals with the NSA to install backdoors in an assortment of products, perhaps most notably security pioneer RSA which accepted a $10 million contract to incorporate a component the NSA called “Dual Elliptic Curve (Dual EC)” into some of its security products that year. In 2015, malicious code found in some of RSA’s firewall products indicated hackers (suspected to be backed by the Chinese government) had identified and figured out how to compromise Dual EC and turn it into their own personal spy tool.
