BadUSB (and by extension, the hypothetical rooted android device) both create a dodgy USB device which interacts with the OS to do bad things. I know about that (I've built quite a few USB devices myself). They don't "attack the baseline controller", but act as a keyboard, disk - all normal devices that the OS would expect to see, but programmed in a way to attack the target computer by sending malicious keystrokes etc.
But this hack requires the USB device to interact with the Intel lights-out chip, not the OS. That was the point I was making: while the OS is running, the OS is in control of all USB communications and would (I believe) have to explicitly allow the device to communicate with the lights out chip. This is because USB is a single-master design, so you cannot have two USB controllers acting on the bus at the same time.
USB devices report themselves by vendor and product ID, so it's possible that the Intel management chip would intercept any USB devices of a certain type (the described JTAG-to-USB device) and not report them to the OS. Then, this attack would work against a running computer. But that's not what was reported.
Biting the hand that feeds IT
