In this week’s Security Ledger Podcast, sponsored by Trusted Computing Group, we’re talking about securing the hardware supply chain. We’re joined by Michael Mattioli, a Vice President at Goldman Sachs who heads up that organization’s hardware supply chain security program.


When we think about cyber threats to the hardware supply chain, we often think about defense contractors making missiles and fighter jets. But these days, hardware supply chain security affects a wide range of companies – not just technology giants like Intel or cloud computing providers like Amazon and Google, but banks and financial services companies, healthcare companies, consumer electronics firms and more. 

Despite media attention to the problem, the awareness of hardware supply chain risks is still low within companies. Tools and talent to address it are hard to find and expensive. What’s a company to do? In this episode of the Podcast we welcome Michael Mattioli into the Security Ledger studio. Michael leads the Hardware Engineering team within Goldman Sachs, where he is responsible for the design and engineering of the firm’s digital experiences and technologies. He is also responsible for the overall strategy and execution of hardware innovation both within the firm and within the broader technology industry.

“Grandma deserves to know that her iPhone is genuine in the way that a corporation deserves to know if their $30,000 server is genuine.”

Michael Mattioli, Goldman Sachs

Michael is the co-author of a paper “Consumer Exposure to Counterfeit Hardware” where he notes that many of the methods used to ensure hardware supply chain integrity are manual and fallible – including visual inspection of installed parts or open source research on sellers. He’s trying to sound the alarm about the threat that hardware supply chain insecurity poses to our entire economy. Michael’s part of a new working group at Trusted Computing Group and the GSA that is working to develop standards based technology and tools to enforce hardware integrity at scale. 

In this interview, Michael and I talk about the growing risk of hardware supply chain risk and the need for coordination throughout the industry to address hardware security threats. 

To start off, I asked Michael to describe the work he does at Goldman Sachs and why a financial services company employs a hardware security expert. Goldman Sachs joined the TCG in February as it looks for partners in securing FinTech, where activities like mobile transactions are growing by leaps and bounds.  


(*) Disclosure: This podcast and blog post were sponsored by Trusted Computing Group. For more information on how Security Ledger works with its sponsors and sponsored content on Security Ledger, check out our About Security Ledger page on sponsorships and sponsor relations.

As always,  you can check our full conversation in our latest Security Ledger podcast at Blubrry. You can also listen to it on iTunes and check us out on SoundCloudStitcherRadio Public and more. Also: if you enjoy this podcast, consider signing up to receive it in your email. Just point your web browser to securityledger.com/subscribe to get notified whenever a new podcast is posted. 

Between Black Friday and Cyber Monday, consumers across the U.S. spent the weekend snapping up deals on home electronics like smart TVs, game consoles and appliances. Total season-to date holiday spending, including Cyber Monday, is over the $100 billion threshold according to data from Adobe. 

Lots of factors drive consumer decisions to buy one product over another: price and features chief among them. But what about cyber security? Unlike, say, the automobile marketplace, concerns about safety and security are not top of mind when consumers step into a Best Buy or Wal Mart looking for a new flat screen TV. And ratings systems for cyber security, from organizations like UL and Consumer Reports, are in their infancy and not widely used.

Episode 170: Cyber Monday is for Hackers

found to have numerous, serious security flaws that could have left it open to remote access and data theft – all without need of a login or password. And TCL acknowledged to Security Ledger that access to on-board cameras and microphones is available to company support personnel, though only with the permission of the owner, according to a company statement.  

This isn’t a new occurrence. Consumer Reports warned in 2018 about vulnerabilities in smart TVs by Samsung, TCL and Roku that used Roku’s smart TV platform.

Expert: Patch Bluekeep Now or Face WannaCry Scenario

But concerns about the cyber security of smart home electronics go way beyond TVs. As our guest this week, Yossi Appleboum of the firm Sepio Systems tells us, software and hardware supply chains are rife with vulnerable – if not compromised components. And companies, like consumers, often have no idea whether a product they’ve deployed might be secretly spying on them, or channeling sensitive data to an unknown party or country. 

While many organizations think the notion of keyboards, monitors and other hardware “spying” on them as the stuff of “James Bond” movies, Appleboum says that the threat is real – and much more common that either companies or consumers are aware.

Podcast Episode 128: Do Security and Privacy have a Booth at CES?

Appleboum’s firm, Sepio Systems, provides visibility, policy enforcement and “rogue” device mitigation capabilities, to organizations concerned about the risks posed by hardware assets.

In this conversation, Yossi and talk about the supply chain security risk and how concerned consumers should be about the security of electronic devices being pushed on them this holiday season. 


As always,  you can check our full conversation in our latest Security Ledger podcast at Blubrry. You can also listen to it on iTunes and check us out on SoundCloudStitcherRadio Public and more. Also: if you enjoy this podcast, consider signing up to receive it in your email. Just point your web browser to securityledger.com/subscribe to get notified whenever a new podcast is posted.