Sanjay Goel, Morris Massry Endowed professor and chair of UAlbany's Department of Information Security and Digital Forensics, unpacks why almost everything you've learned about cybersecurity is no help in the battle against bad chips — impossibly small bits of malicious hardware that can disrupt or destroy the electronic devices we rely on every day.
In 2018, Bloomberg Businessweek published a stunning scoop [subscription required] alleging that server hardware designed and sold by the California company Supermicro to more than two-dozen major tech and government clients was compromised with malicious chips installed at the behest of Chinese intelligence. Those hardware trojans, the scoop alleged, gave China backdoor access to snoop — or worse — on what those networks were doing.
The story was met with immediate, forceful denials from tech companies, including Supermicro and Amazon Web Services — with Apple CEO Tim Cook going so far as to call it “100 percent a lie.” U.S. and British intelligence said they saw no evidence to contradict the denials. Supermicro said a third-party investigation of its hardware found nothing suspicious.
But Bloomberg stood by the story and followed up, three years later, with another report alleging that China’s targeting of Supermicro was known to U.S. defense and intelligence officials for a decade.
We asked Sanjay for his take on the controversy and the fallout since — and whether there might be other explanations for what happened.
Jordan: The Supermicro report was explosive, but the tech companies denied it — and western intelligence services said they had no reason to doubt the denials. What do you make of that?
Sanjay: The allegation was that the trojans were not in the original design by Supermicro, but when the hardware was manufactured in China and came back, the hardware had those trojans on there. The denials could be for a variety of reasons. They could be for economic reasons —that they don’t want everybody to panic “Oh my god, all of our chips are tainted.” The second is there could be an error in the detection as well — whether or not the trojans were really present or they were a different artifact or natural defect in how the chips were manufactured. A lot of things could happen.
Bloomberg stands by the report, even to today, and there were other rumors that these were actually present. But I’m not going to go against the tech companies or our own intelligence. If they say they did not exist, for whatever reason, I would want to believe that they did not exist.”
Learn more about Sanjay Goel's cyber defense expertise, including the prestigious NSA certification for the Massry School of Business' Digital Forensics program as a National Center of Academic Excellence.
Sanjay also serves as research director at the UAlbany-based New York State Center for Information Forensics and Assurance.
UAlbany's College of Emergency Preparedness, Homeland Security and Cybersecurity was also recently designated a National Center of Excellence in Cyber Defense by the NSA.
The College of Nanotechnology, Science, and Engineering (CNSE), meanwhile, has deep expertise on microelectronics R&D and fabrication, including the capability to design and manufacture chips embedded with malicious trojan hardware for testing.
Sanjay is working with colleagues in CNSE to develop a testbed that will enable researchers to fabricate and study malicious chips to make them easier to find.
Explore everything happening on campus with the University at Albany Events Calendar
Audio editing and production by Scott Freedman
Photos by Patrick Dodson
Written and hosted by Jordan Carleo-Evangelist
0:01 Jordan Carleo-Evangelist
Welcome to The Short Version, the UAlbany podcast that tackles big ideas, big questions and big news in less time than it takes to cross the Academic Podium. I’m Jordan Carleo-Evangelist in UAlbany’s Office of Communications and Marketing.
At this point, we should all know the basics of cybersecurity. Don’t click on weird links. Don’t open attachments from people you don’t know. And yes — thank you mandatory annual training — don’t plug the thumb drive you found in the parking into your work computer. Or any computer for that matter.
Virtually all this advice, however, is meant to protect you malware — malicious software that can hijack your devices and steal your secrets. But what happens when the devices themselves — say the smartphone you’re streaming this podcast on, or the computers that control our electric grid — have been corrupted since the moment they left the overseas factory that built them.
That is the unsettling reality of hardware trojans. Hardware meaning electronic devices. Trojans, as in the Trojan Horse, the mythical artifice used by the ancient Greeks to sneak inside and conquer the city of Troy.
In this episode, our guide to this world of surveillance and sabotage by design is Sanjay Goel, Morris Massry Endowed Professor and chair of UAlbany’s Department of Information Security & Digital Forensics. Sanjay helped us understand why hardware trojans are such a serious threat to national security and what the U.S. can do to protect its critical infrastructure.
1:29 Sanjay Goel
What a hardware trojan is is when somebody has inserted a malicious sort of etching onto a layer of the chip, which could be for eavesdropping or it could be for disrupting operations. That’s a hardware trojan.
Hardware trojans can disrupt operations. For instance, if you look at a lot of the power transformers, the large ones, they’re basically coming from outside the country —a lot of them from China. The trojans could be sitting latent in case of a conflict between China and the U.S. They could always invoke the circuitry and basically cause disruption in the power sector.
If you have critical defense equipment like missiles and whatnot using chips, in real time they could be manipulated to basically misdirect those missiles. So a lot of things can be done. For instance, during the China and India conflict at the border suddenly a lot of power systems started going down in places like Mumbai and whatnot, so how were they created? It has to be some kind of a manipulation. It could be the malware, or it could be the hardware. We don’t know to the answer to that. There is suspicion but no proof. We need to be able to get the proof.
Creating hardware trojans is not easy, but they can be done. The question is how to detect them. How do you trust the supply chain? That’s the fundamental issue.
Designing and manufacturing chips is very, very complex, involving a lot of different parties. There will one entity which is providing software and hardware designs, somebody else is manufacturing it. So the supply chain is complex. Typically, a lot of the design work is done in the U.S. and then for manufacturing it is sent out maybe to Taiwan or to China or to Singapore. And what these countries have done is they have basically scaled the production so they can do it at a much lower cost. We have a vulnerability there. So as long as we don’t control it, we’re not able to have trusted foundries of our own, we will always have to worry about somebody infiltrating into those fabs.
There’s sophisticated ways of testing. First of all, you can basically look at the parameters coming out of (the chips), you can look at the data flows and whatnot. You can also start delayering the chip layer by layer by layer, but that’s very expensive.
This needs to be done at the infrastructure level — at the government level, at the large corporation level. Companies like Nvidia, Intel — they need to start figuring out how to secure the designs, how to create these trusted designs and how to easily test them.
One of the things that we’re interested in doing at UAlbany is basically developing and testing algorithms, and for that we need to create a testbed of pre-created trojans of all different kinds so we can test our algorithms against them. Right now we’re basically running blind, you know? We suspect there are a lot of trojans but we have not been able to refine or test our algorithms.
We could sit down and, using our nano foundries, start designing malicious chips of our own so that we could build a test bed and be able to validate our algorithms for detection, so slowly and slowly we can start building trust in our ability to detect these trojans. We need to start refining our algorithms and have a test bed of malicious chips and benign chips so that we can compare the parameters, and we can do it here. UAlbany is certainly in a unique position to be able to do that. We have one of the strongest forensics programs, and we have a nanofactory right in our backyard, so we are able to do chip forensics at a scale and capacity that none of the other universities will be able to do. Plus we have GlobalFoundries nearby, so we can design the chips, manufacture them, test them and then scale them for distribution to the other researchers.
What advanced AI can do is help us analyze the data coming out of those chips at a large volume of data and be able to do anomaly detection.
My largest concern is that a lot of the trojans, they’re sitting in our critical infrastructure, including our power infrastructure, including our air traffic control and whatnot. So these are the things that worry me. If somebody were able to manipulate those chips, it could can real harm to the American public.
There is reason for optimism because the CHIPs Act and the current administration’s efforts at securing the supply chain within the U.S. – that’s an important one. Second, we now understand the problem well and we know how we can execute and develop our algorithms. So going forward, if there are enough resources available, we will be able to make inroads into the detection part much better.
When the computer viruses first started, it was very hard to detect them. And we are at this stage where we now understand how these trojans work, how they’re inserted and what we can do to manage and control them. We just need forge a research direction in which we’re able to develop new algorithms for testing, new ways in which we can secure the designs and be able to test them against manufactured chips. I think we’re moving in the right direction. I think trying to get some control and chip manufacturing in the U.S. is absolutely essential for the Western world to feel secure. Even if there are no trojans out there, just the suspicion that there are trojans in our critical infrastructure is pretty stressful. So until we’re able to secure the supply chain and be able to create trustworthy chips for the critical infrastructure, we need to keep invest in this – both in R&D and in our manufacturing facilities.
6:56: Jordan Carleo-Evangelist
That was Sanjay Goel, Morris Massry Endowed Professor and chair of the Department of Information Security & Digital Forensics.
Sanjay explained how researchers right here at UAlbany are working to protect computers critical to our national and economic security from nanoscale spy tech.
To learn more about the “The Big Hack” — a deeply contested report of a massive Chinese hardware spy operation, and to read Sanjay’s take on the controversy surrounding it —be sure check out The Long(er) Version in our show notes.
Catching up on the big news from across campus…
Gov. Kathy Hochul recently announced a major $50 million expansion of UAlbany’s Life Sciences Research Building. With as much as 20,000 square feet of flexible new lab space and access to advanced AI computing, the expansion will support the work of The RNA Institute to accelerate the discovery of RNA-based treatments for devastating diseases like myotonic dystrophy and ALS.
Also last week, President Rodríguez joined Albany County Executive Dan McCoy to announce UAlbany’s latest major investment in midtown Albany. The University plans to buy Centennial Hall, a residence hall on Madison Avenue once owned by The College of Saint Rose. The acquisition will help UAlbany meet increased demand for on-campus housing from juniors, seniors and grad students. The purchase will need to be approved by the Pine Hills Land Authority, which is overseeing redevelopment of the Saint Rose campus.
In major academic news, New York State has approved UAlbany’s new four-year bachelor of science in nursing — the product of a new clinical partnership with Albany Med Health System. The new program represents the College of Integrated Health Sciences’ continued expansion of its allied health programs. Current UAlbany students can enroll this spring, and enrollment will open to new students in the fall of 2026.
Looking ahead to next week:
Friday night on the Downtown Campus, the New York State Writers Institute will host two panels on politics, principles and “Telling the Truth in a Post-Truth World.” The free events at Page Hall will feature former U.S. Congressman Chris Gibson, novelist Ayad Akhtar, journalist Lydia Polgreen and Fordham University law professor Zephyr Teachout
Aspiring scientists and techno wizards will once again pack ETEC Saturday morning for UAlbany’s annual STEM & Nanotechnology Family Day. Kids in grades 2–8 will be able to test robots, explore climate science, play with oobleck, build with Legos and try nano-inspired experiments. While registration for this event is currently full, a waitlist is available.
Later Saturday, the Great Danes will play their final home football game of the season against the Towson Tigers at Tom & Mary Casey Stadium. That’s a 1 p.m. kickoff, and tickets are available on UAlbanySports.com.
You’ll find links for all these stories and more in the Today at UAlbany News Center —and a link to the full University Events Calendar in our show notes.
The Short Version would not be possible without contributions from many people, including for this episode Scott Freedman and Brian Busher, who provided audio production and editing support from the UAlbany Digital Media studio deep inside the Podium tunnels.
We’ll be back next Wednesday to explore how scientists at UAlbany are looking to the human brain for inspiration for the next generation of powerful computers.
Thanks for taking a minute with us. I’m Jordan Carleo-Evangelist here at the University at Albany, and this has been The Short Version.