Yuyuantan Tian: How the United States Installs "Backdoors" in Chips

A few days ago, the National Internet Information Office held talks with NVIDIA regarding the security risks of backdoor vulnerabilities in the H20 computing power chip.

In a subsequent self-defense statement, NVIDIA mentioned that the chip does not have a "backdoor," and they specifically referred to the "Clipper chip" incident.

On August 5, 2025, NVIDIA issued a statement claiming that the chip does not have a "backdoor," termination switch, or monitoring software.

In 1992, AT&T launched a hardware device for American business people that could encrypt voice transmissions over the phone to ensure information security.

This sparked dissatisfaction from the U.S. government. Soon, they demanded that AT&T replace the device's microchip with a new one—the "Clipper chip." It used encryption algorithms from the National Security Agency (NSA) and was produced by contractors designated by the U.S. government, containing an "encryption backdoor."

This "encryption backdoor" allowed the U.S. government to "decode" communications on the device.

After the launch of the "Clipper chip," it faced widespread resistance, and the project was terminated in less than three years. The U.S. government also learned a lesson, regarding "encryption backdoors," they began to do it without speaking about it.

However, this year, the U.S. government has once again brazenly brought the issue of "encryption backdoors" to the table. Since the Americans have said so, we need to delve into how the U.S. gives chips "backdoors" from a technical perspective.

In May of this year, U.S. Congressman Bill Foster led a proposal for a bill requiring the U.S. Department of Commerce to mandate American chip companies to include "backdoors" in chips subject to export controls.

Bill Foster, a Ph.D. in physics with experience in chip design, confidently stated that the relevant technology is quite mature and entirely feasible.

What Bill Foster aims to achieve can be summarized in two points: one is "tracking and positioning," and the other is "remote shutdown."

According to professionals, Bill Foster's judgment is accurate; these two functions can be fully realized from a technical standpoint.

"Backdoors" mainly fall into two categories: hardware "backdoors" and software "backdoors."

Hardware "backdoors" are physical devices left during the design or manufacturing of the chip, primarily consisting of logical circuits with "backdoor" functionality.

Software "backdoors" can be understood as instructions implanted in software that have "backdoor" functions, which can damage the user's system or steal confidential information through software execution Taking NVIDIA's H20 chip as an example.

From the perspective of hardware "backdoors," it is entirely possible to achieve functions such as "remote shutdown."

The H20 chip has multiple components, including: GPU cores, power management modules, etc. As long as a "remote shutdown" circuit is embedded in the power management module of the H20 chip and a corresponding trigger mechanism is set, this function can be realized without relying on external conditions. When the chip meets the following conditions:

The activation time reaches the pre-set target;

Physical conditions such as temperature and voltage meet the pre-set targets.

The power management module of the H20 chip can perform corresponding operations, including: directly cutting off the core power of the chip; adjusting the voltage to an unstable range, causing the chip to malfunction, etc. For example, the simplest and most direct operation is that chips sold to China can be set to automatically shut down after 500 hours of use.

In this way, the chip becomes completely unusable, and it is not an exaggeration to say that all investments are essentially wasted.

Another way to implement a "remote shutdown" hardware "backdoor" is to modify the firmware bootloader of the H20 chip. When the chip starts, the bootloader checks specific conditions (such as geographical location information, authorization status, etc.). If the conditions are not met, it can refuse to start the chip, disable certain advanced functions during startup, or limit the chip's performance. Currently, the H20 is almost exclusively supplied to China, and if a "backdoor" is set in the chip, then the functionality of the "backdoor" is highly targeted, and once activated, it is unlikely to cause "collateral damage."

Security experts from Qihoo 360's Threat Intelligence Center told Tan that from a technical perspective, it is relatively easy to implement specific denial-of-service hardware "backdoors" during the production phase, but in fact, this method has relatively high costs and expenses. Setting a "backdoor" through software or a combination of software and hardware is the most flexible approach.

Using software to activate a "backdoor" has a very important leverage point, which is CUDA. CUDA (Compute Unified Device Architecture) is not a product but an ecosystem.

There are over 4 million developers worldwide using CUDA, covering 90% of artificial intelligence research institutions globally. Over the past nearly 20 years, it has formed a positive feedback loop:

The more developers use CUDA, the more applications based on CUDA will emerge, which in turn attracts more developers and users to join CUDA.

In other words, when you want to use the latest features of CUDA, you need to import updated software into the system. In this driver update process, the system where the chip resides may have instructions to activate the "backdoor" added, and this method of embedding a "backdoor" can achieve many functions.

If there is an internet connection, by dynamically receiving data for decryption and execution, it can achieve "tracking and positioning" functions, and even more conventional "backdoor" functions such as file collection, keystroke logging, and screen capturing can also be realized In other words, with the cooperation of software and hardware "backdoors," information leakage is effortless.

The "tracking and positioning" function is similar to the remote identification feature in Intel Management Engine. In 2018, this function sparked discussions about the security of computer "backdoors."

A security expert from Qihoo 360's Threat Intelligence Center told Tan Zhu that the United States shapes its artificial intelligence hegemony through two main tools: hardware and the software ecosystem. For other countries, it is essential not only to strive for hardware alternatives but also to build a self-controllable software ecosystem.

To accomplish the above arrangements, the U.S. has systematically designed a mechanism—on-chip governance mechanism. This mechanism states that the U.S. government needs to establish relevant departments to coordinate various aspects of chip design, production, and manufacturing, including coordinating with enterprises and allies to achieve control over artificial intelligence chips.

The on-chip governance mechanism can achieve the following functions:

First, licensing lock. If violations are found, manufacturers will immediately stop issuing new licenses, and the chip will become ineffective due to the inability to update.

Second, tracking and positioning. The response speed of the target chip interacting with multiple landmark servers can reflect its approximate location. The chip itself can perform active queries, restricted to operate within specific geographical areas.

Third, usage monitoring. Built-in hardware can record key information such as chip status, training tasks, and computational volume, requiring users to verify the chip's usage to ensure development complies with U.S. regulatory requirements.

Fourth, usage restrictions. The on-chip governance mechanism restricts the use of chips in large cluster computers and supercomputers, protecting sensitive data access and only allowing chips to run approved code or models.

A detailed report on the "on-chip governance mechanism" mentions that NVIDIA's artificial intelligence chips have already widely deployed most of the functions required for on-chip governance, although some have not yet been activated.

The new report from the Center for Security and Emerging Technology, titled "Secure and Governable Chips—Using On-Chip Governance Mechanisms to Manage National Security Risks of Artificial Intelligence and Advanced Computing," states that many functions required for on-chip governance have been widely deployed across various chips, including cutting-edge artificial intelligence chips. Chips sold by leading companies such as AMD, Apple, Intel, and NVIDIA possess many of the functions required by these policies.

If the chips do not yet have these functions, the report also specifically mentions that the U.S. and its allies control the supply chain of the most advanced artificial intelligence chips. Therefore, the U.S. only needs to "coordinate" with these allies to ensure that these chips are equipped with built-in hardware to achieve control In order to gain the cooperation of chip companies, the report also suggests implementing some "incentive" measures, such as "pre-market commitments"—if companies cooperate and meet the U.S. government's requirements for "backdoors," the U.S. government could exempt them from export controls. It specifically mentions easing exports to "low-risk Chinese customers."

Combining this information with the fact that the U.S. government allows NVIDIA to export H20 to China, it inevitably raises some chilling thoughts.

From any perspective, H20 cannot be considered a safe chip for China.

In addition to being unsafe, H20 is also not advanced.

According to data from relevant institutions, compared to the standard version of H20—the H100, the overall computing power of H20 is only about 20%, and the number of GPU cores is reduced by 41% compared to H100, with performance decreasing by 28%, which also leads to H20 being unable to meet the trillion-level large model training requirements.

Besides being not advanced, H20 is also not environmentally friendly.

In July last year, the National Development and Reform Commission, in conjunction with relevant departments, issued a document called the "Special Action Plan for the Green and Low-Carbon Development of Data Centers." The "Action Plan" mentions that by the end of 2030, the average energy utilization efficiency, unit computing power energy efficiency, and carbon emissions of data centers nationwide should reach internationally advanced levels.

Generally speaking, for server GPUs using processes below 14nm, the energy efficiency ratio for energy-saving levels should reach 0.5TFLOPS/W, and advanced levels should reach 1.0TFLOPS/W.

According to relevant institutions' calculations, the energy efficiency ratio of H20 is approximately 0.37TFLOPS/W, which does not meet the energy-saving level of 0.5TFLOPS/W.

We all know that computing power is, to some extent, electricity, and the development of artificial intelligence will create a significant increase in energy demand. Moreover, this additional demand needs to align with China's green transformation pace.

From this perspective, H20 is certainly not a good choice.

When a chip is neither environmentally friendly, nor advanced, and even unsafe, as consumers, we can certainly choose not to buy it.

Risk Warning and Disclaimer

The market has risks, and investment requires caution. This article does not constitute personal investment advice and does not take into account the specific investment goals, financial conditions, or needs of individual users. Users should consider whether any opinions, views, or conclusions in this article align with their specific circumstances. Investing based on this is at one's own risk