It isn't implausible because of it being difficult and expensive, its implausible because there already exist much easier, cheaper, and (arguably) harder to detect ways of subverting SuperMicro motherboards.

As a bonus, subverting the BMC firmware is much harder to trace to the source since it could be injected by in so many ways by so many different people.

Why use a thermonuclear device when a hand grenade accomplishes the goal?

I just don't think the relationship between those two things you are describing exists. If the Chinese government approaches a Chinese manufacturer with the goal of compromising US software companies adding some sort of chip that reconfigured the hardware would be the most straight forward thing for them to do.

If anything I think the idea that a Chinese manufacturer with complete access to the hardware having to execute some exploit towards the web interface to get access is far fetched. So is that you could pretend to update the firmware (surely no one is going to notice that the new version doesn't have the features you wanted?) and that dumping the firmware would be inconvenient (it would be the first thing you did if you suspected something).

The "chip that reconfigured the hardware" is already built in; it's the BMC.

All the Chinese government has to do is go to the factory and tell them "flash the BMC firmware with this image" where the image is subverted (but operationally indistinguishable) BMC firmware. It doesn't get much more straight forward than that.

There are attacks where flashing a malicious firmware on to the device prevents real firmware flashing (just updates version numbers, re-infects the flashing payload on write, etc). However, those attacks can be mitigated by physically connecting to the flash module and writing to the device directly through SPI. If you've got a chip between the BMC and the flash memory as the report suggests, it can re-infect the memory even when you're done. You could even read the contents of the flash memory directly and find no evidence of the attacker, as the attack code might never actually write to the memory and may only load when the BMC boots and attempts to read from the flash memory.

It is straight forward to compromise the BMC, it isn't straight forward to hide a backdoor in the BMC in front of some of the best security researchers in the world. Especially with such attack being well known and seemingly trivial to check for.

the very arguments the article gives to shun off this attack is what i think makes it very possible and the best option. Scale.

NSA demand backdoor on CPUs. other States figure out how the backdoor works and how access to it is allowed on the silicon. Instead of attacking ever changing firmware and whatnot, just develop something that will work on that authentication component of the always-present backdoor. The backdoor interface won't change so often as it is dictated by the NSA and likely designed by a committee.

Done. Now the economies of scale allow you to just place that one component, which will work all over the place, for a very low price/complexity (all you really have to do is to place it in the input signal for the CPU and all it have to do is to filter a very specific pattern. the rest is just visual and camouflage).

This also gives you the benefit of not having to work a payload for your attack depending on capabilities. You will always have the same capabilities. It makes perfect sense. And makes it extremely cheap!

Great question. Better yet why not have both and use whichever one suits you the best at the time?

> Often reality clashes with imagination

Often reality follows [somebody's] imagination - i mean you have those think tanks where people sit and imagine things, and the sponsoring agencies like CIA/Pentagon/NSA or their foreign equivalents take many of that and implement. Many people everywhere had the thought of full remote control of the computers - Intel implemented it as Intel ME feature of CPU because Intel controls CPU. China controls motherboards, so they did on the motherboards.

Exactly.

How much has the US spent on the F-35? How much has China spent on making artificial islands? Yet engineering a chip and bribing/threatening a few factory workers is beyond the pale?

Bloomberg's claim is that a miniature device used for RF analog electronics was coopted and inserted into a board that would never have such a part designed in. This requires modifying the board artwork, the pick and place config, any automated inspection and test equipment, and adding a foreign part reel to the supply chain.

It is much easier to compromise firmware directly or modify ICs that are already part of the design. The risk of being caught is much lower and it would be stupid to attempt anything more elaborate.

  This requires [et c.]

Or, they could run their own fabrication facilty, where they can exert total control over the production line, in total secrecy, and you'd never know the difference, or notice a sacrifice in the fidelity of replication.

Think that's impossible? Not at the nation-state level. Not in communist countries where everything is property of the government by default. Not in capitalist countries like the United States, where entire nuclear facilities are replicated in secret. [0]

[0] https://www.businessinsider.com/the-us-built-a-secret-replic...

Not in capitalist countries like the United States where you can just contract a manufacturer to produce the board you want. Even parts acquisition becomes a job to be done. As long as the producer dosn't know (or even does know but can be silenced at the right level) then really, once the actual design is in hand and assuming the parts aren't too hard to get there's little to stop someone from producing a board just like a board produced elsewhere.