Week 29 - Hacking the Chip Security Act
Year of Hacking - 0x1d
The Chip Security Act is a bipartisan bill introduced last month that aims to restrict chips from flowing into China through technical controls . After Deepseek’s meteoric rise to fame, it seems that Congress has realized the danger of allowing one of our most valuable assets to fall into Chinese hands.
Notably, this bill instructs the Secretary of Commerce to require "security mechanisms that implement location verification" in export-controlled chips.
I explored this topic in a previous post, where I published the final essay of my undergraduate. Can't call me a hack if I'm already a hacker.
In that post, I proposed two hard technical controls that could ensure that chips stay out of China.
Let's read my proposals from a hacker's point of view:
Solution 1 - Digital Rights Management (DRM)
Nvidia could implement DRM for their firmware, or prevent the chip from accepting unsigned drivers, and only providing drivers to organizations known to be in the US or friendly nation. This action would effectively kill the open-source firmware ecosystem, unless Nvidia wants to take a more active hand in this sector by continuously signing open-source drivers. Neither solution is ideal, though both are feasible. To prevent piracy and preserve profits, software developers have used DRM to ensure that installations of the software are done legitimately. Most hyperscalers have DRM solutions from old tuck-in acquisitions, like Microsoft's PlayReady, or developed in house like Apple's Fairplay.
Why this could work - The DRM ecosystem for software is already robust, and there's a lot of institutional knowledge for this niche in the Valley. Given a regulatory incentive, the ecosystem could expand into protecting firmware with specialized hardware based on the recently introduced secure enclaves and Trusted Execution Environments.
Why this could fail - There is a rich history DRM hacking for pirated games, which is only beneficial at the consumer level. If DRM were to become a nuisance for Chinese hyperscalers or AI labs, I would bet that it would get cracked in two weeks. Also, if Nvidia prevents the chip from accepting unsigned firmware, then all it takes is to steal a key from Nvidia and sign your own firmware. Also, even if Chinese labs can’t break DRM, then they have the talent to just create their own drivers that are nearly as good as Nvidia’s.
How I would break this - Eventually, the firmware must be loaded into the chip's memory. I would steal or buy an unlocked H200 from a company in Latin America or Southeast Asia, then identify which chip on the system holds the firmware. I would reverse engineer whatever decryption mechanism is in place, and make copies of that firmware.
Solution 2 - Call-Home
Using latency to connect to a call-home server and a few other useful signals, it is feasible to roughly geolocate the position of a computer. A call-home server could issue a simple cryptographic challenge that must be solved before turning on a machine. Because it would be impossible for the machine to solve the challenge before it is issued, the call-home system measures the time it takes to solve the challenge. Do that process with multiple computers on multiple networks on multiple continents, and you can triangulate the position of the computer.
Why this could work - This is simple to implement. In fact, after writing the aforementioned essay, I tried my hand at implementing it myself. Also, the security of the call-home server could be updated, which is a departure from typical hardware security. Once the die is cast fabbed, there is no changing any flaws without massive cost to manufacturers.
Why this could fail - I don't trust this system's ability to discriminate between a system in Taiwan versus in Mainland China, or in Russia versus Finland. It is also not resistant to network failures, which would be a massive nuisance for legitimate customers.
How I would break this:
If there is a chip that implements the lockout mechanism once the call-home server determines a system is in an unfriendly natiojn, I would desolder the chip and replace it with a custom chip that sidesteps this behavior. The initial reverse engineering process would be the hardest part. After that, I could sell the design or the sidestep chips.
If there is no separate chip, I would hack into Nvidia's call-home server and steal or modify the keys used in a theoretical cryptographic challenge. If the call-home server uses one of 1024 keys, and we're able to insert one malicious key or steal a legitimate key, we can spin up our own malicious call-home server using that key.
There's even the option of just keeping these devices plugged in while they are being transported to a disallowed country. Heck, if the chips work in Vietnam, there's no reason someone can't just drive a truck with a full rack of H200's to Hanoi, turn them on over McDonald's wifi, then drive them back to China. Inconvenient? Yes. Relatively simple? Also yes.
I would bet customers that process classified information would demand a GPU that doesn't connect to the internet, especially multiple servers around the world. I would coerce, steal, or buy these chips that can be run anywhere, or just spin up a shell company to purchase them.
Thoughts
Which solution is best?: The authors of the Chip Security Act seem to agree with me in thinking the call-home server is the most practical. In my opinion, allowing the call-home system to live on an Nvidia-controlled server would make sure that at least one link in the chain is receiving frequent updates without needing to wait for the next generation of AI hardware.
Will Nvidia play ball?: I would imagine Nvidia would bristle at cowing to any regulation that makes their product less attractive, especially since the Chinese market is a massive 20% of Nvidia's revenue. However, I bet Jensen Huang is terrified of ticking Trump off, so he will probably smile and wave for now, even if he has curried favor by being part of the Gulf AI deal.
Why none of these will ever work: While all of my solutions are probably out of my reach for a weekend warrior project, I'm confident that if I got the top five people on the BYU CTF team, we could do the hardware workarounds in a summer. Given that the Chinese Communist Party would make cracking any technical barriers to using these chips a national priority, I'm not bullish on these barriers working holding up for more than two weeks.
Why even bother?: The Chip Security Act is a baseline, and there certainly will be screwups that prove new systems are being smuggled into China. Future regulators can point to these screwups in justifying more comprehensive and effective measures. In fact, part of the act requires Department of Commerce to “… record the location and current end-user of each such product”, refering to export-controlled chips. This gives a much clearer picture of the state of American GPU proliferation.
If other ideas for how to circumvent these systems, let’s hear them.
Music I listened to this week
Oh my gosh so much Chappell Roan. Recession pop is back.
Super Graphic Ultra Modern Girl - Chappell Roan
Guilty Pleasure - Chappell Roan
After Midnight - Chappell Roan
Brujeria - El Gran Combo de Puerto Rico
WARANA EH - Nancy Ajram (Again)
