Connect with us

Hi, what are you looking for?


Supply Chain Security

Students Develop Techniques to Keep Malware Out of the Electronics Supply Chain

New Ways to Secure Electronics Supply Chain

Student Hackers Develop New Design Techniques to Protect Against Vulnerabilities in Vital Components in the Electronics Supply Chain

New Ways to Secure Electronics Supply Chain

Student Hackers Develop New Design Techniques to Protect Against Vulnerabilities in Vital Components in the Electronics Supply Chain

Security concerns over chips, routers, and other technical equipment coming from China, and through the technology supply chain in general, have been highlighted in government reports and in the media recently.

These fears over tainted hardware stem from the thought that adversaries could have the ability to monitor or control sensitive networks.

Researchers at Polytechnic Institute of New York University (NYU-Poly) and the University of Connecticut hope to address some of these concerns with new techniques designed to protect against malicious manufacturing flaws and vulnerabilities in the electronics supply chain.

Ramesh Karri, an electrical and computer engineering professor at NYU-Poly, explains that most engineers design systems under the assumption that the underlying hardware is trustworthy, an assumption, he says, is false.

According to The White House’s Cyber Policy Review, samples of imported hardware and software have been discovered that have deliberately been infected with spyware and malware before being imported. “The challenge with supply chain attacks is that a sophisticated adversary might narrowly focus on particular systems and make manipulation virtually impossible to discover,” the report warns.

In May 2010, for example, the FBI seized more than 700 pieces of counterfeit Cisco network hardware and labels with an estimated retail value of more than $143 million. While that scheme was conducted for financial gain, designers of integrated circuits and microchips also need to protect military, financial, transportation and other critical digital infrastructure from malware inserted by intruders with other criminal or military intentions.

According to the FBI, from November 2007 to May 2010, Customs and Border Protection and Immigration and Customs Enforcement made more than 1,300 seizures involving 5.6 million counterfeit semiconductor devices. These semiconductors are used extensively in modern products, including many used in government, military, and aerospace industries. More than 50 seized counterfeit shipments were falsely marked as military or aerospace grade devices. 

Advertisement. Scroll to continue reading.

Karri, along with researchers from the University of Connecticut, have developed new techniques that designers can use to defend against such weaknesses in the supply chain.

Their new “design for trust” techniques add to the established “design for manufacturability” and “design for testability” mantras and build on existing design and testing methods.

One such technique involves ring oscillators, which are sets of odd numbered, inverting logic gates that designers use to ensure an integrated circuit’s reliability. Circuits with ring oscillators produce specific frequencies based on the arrangement of ring oscillators. Trojans alter the original design’s frequencies and alert testers to a compromised circuit. However, sophisticated criminals could account for the frequency change in their Trojan design and implementation, the researchers warn. Karri and his team suggest designers thwart their tactics by creating more variants of ring oscillator arrangements than criminals can keep track of, making it harder for them to implant a Trojan without testers detecting it.

Unlike microbiologists that often have easy access to sample viruses, Karri and other hardware security researchers cannot study ample real-world Trojans because companies and governments are often reluctant to share infected hardware for reasons of intellectual property, national security or fear of embarrassment. Karri and his colleagues decided to do some crowd sourcing to collect sample Trojans that informed their design-for-trust techniques.

Graduate and undergraduate students from across the country build and detect hardware Trojans for the Embedded Systems Challenge, part of NYU-Poly’s annual Cyber Security Awareness Week white-hat hacking competition. Karri and his team analyzed a diverse collection of 58 submissions from the 2008 competition and developed a taxonomy that is helping to standardize metrics for evaluating Trojans.

Crowdsourcing Trojans benefits the team’s research and will help guide future researchers and practitioners, according to Jeyavijayan Rajendran, an NYU-Poly electrical and computer engineering doctoral candidate and co-author. Rajendran was the 2009 winner of the Embedded Systems Challenge and has been the student leader of the national challenge since then. In the 2010 competition, Rajendran’s 2009-winning defense was successfully attacked. “I went back and studied the vulnerabilities and developed additional techniques to fix them,” he says. “The Embedded Systems Challenge changed my research process. Now I am not only thinking from a defender’s point of view, but I am also thinking from an attacker’s point of view.”

Trojans from the Embedded Systems Challenge and the design-for-trust techniques are available on, a National Science Foundation funded site created to encourage community building and knowledge exchange among hardware security researchers and professionals. 

In addition to the NSF, the Air Force Research Laboratory is supporting Karri and his team’s research at NYU-Poly. The final rounds of the 2011 NYU-Poly CSAW challenges will be held Nov. 9 – 11, 2011, in Brooklyn. More information is available here.

Related Reading: Attacks on Mobile and Embedded Systems: Current Trends

Related Reading: Security Focus on Consumer Electronics w/ Free Software Trial

Written By

For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn about active threats targeting common cloud deployments and what security teams can do to mitigate them.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.