Because the reporters involved are shit, according to some sources may be paid based on how much they move the market, and have got this kind of thing wrong now three times before.
It's plausible that something you put there could interpose the SPI flash, and 5 or 6 pins is the minimum you'd need to do that.
But you don't NEED a tiny simple chip to compromise it. Until 6 September 2018 Supermicro BMC board updates were unsigned. blog.eclypsium.com/2018/09/06/insecure-firmware-updates-in-server-management-systems/
Its bootcode still is, and the AST2400/2500 series are open and well known, so you could just flash the fucking SOIC-16 SPI flash with OpenBMC or patch it or something.
You know who's known for doing overcomplicated hardware implants when you don't need them? NSA TAO. You know who's known for doing the simplest possible? The Chinese.
The attribution doesn't make sense, every one of the supposed victims and agencies have issued the most on-the-record flat denials they could - which cannot legally be compelled speech, even with an NSL - and at least one of the sources (Joe Fitzpatrick) has said they got the wrong end of the stick entirely: risky.biz/RB517_feature/
>He also provided Risky.Biz with emails he sent to Bloomberg, prior to the story’s publication, that said the hardware back-dooring the article described “didn’t make sense”.
It's fucking bullshit, is what it is.
COULD someone do this? Yes. The only agency who are actually known to have done something like this in the past, however, is NSA TAO with Cisco routers, and that was delivery interdiction with access to the design schematics, not at-source.
DID this particular exact thing happen? All signs point to Nope..
Attached: nope.jpg (1909x1070, 195K)