Re: Let's not go overboard with this.
Let's arm-chair-design a recreation of this exploit, and see how close we get to the real thing, after all the facts come out, shall we:
I read the original Bloomberg article. The way the article was written, it sounded like the "signal conditioner" chip could connect to the network, by itself! Only later on did it go into "detail" about it modifying the code for the BMC.
What all of this points out is something very important in system design: the CPU should not boot code that it can't verify through a chain of trust. There are a number of commercially available solutions for this, and they have been on the market for years. The concepts have been out there for far longer. Manufacturers have no reason to not pursue secure operation.
The real problem with all of this is the motherboard design has to be modified! If a shared serial bus was modified, then that means that that there will be a signals conflict on the bus to modify instructions. The problem with this is that the commands are like, "Hey, #24, talk to me!" Then #24 talks, and does it blindly. To actually do what the article claims, the chip has to be in series between the CPU and the memory. That would take a change in the traces, etc. So the motherboard would have to be redesigned to incorporate the chip.
Whatever is going on, we aren't getting the full story yet.