It'd be really impressive if the NSA could intercept shipment a router manufactured in Russia or China, and then re-insert the shipment into the supply chain.
Now I know why Cisco gear always takes forever to ship.
Tons of networking components contain microprocessors, microcontrollers and programmable logic with excess capacity for their role and could hide implants in software, firmware or even bitstreams without changing a single part of the hardware e.g. leaking encryption keys as jitter observable to a passive attacker, just waiting for backdoor command to e.g. drop or massively delay 90% of all traffic or even fry the hardware by overvolting or intentionally violating bus arbitration rules having multiple push-pull drivers active at the same time on a bus. You're only limited by the available time, physical access, hardware and the creativity of your paranoia. Should such implants exist it could be installed in a few minutes either through the whatever update process is supposed to patch the involved components or through, exposed test pads or even clipping suitable packages on the boards e.g. a serial flash chip. It's a scary paranoid idea.
There is no need to add imaginary Chinese spy chips to Supermicro mainboards the common AST2x000 BMC chips are already ideal spy chips by design and given the observed quality of the firmware e.g. there used to be an undocumented command available via the SSH management shell to drop into a root shell on the BMC and you could just download the plaintext password file required to log in via HTTP. While disclosing the password file via SSH is bad you can't even blame Supermicro for storing the plaintext passwords in the first place since IPMI BMCs have to store the plaintext passwords because they're required for the terrible challenge-response handshake mandated in the protocol which doesn't allow storing only a precomputed salted hash over the password. How many companies dispose of old servers without wiping the BMC passwords? How many of them reuse a single password over large parts of the server fleet? Some days I find it hard to attribute this to incompetence instead of malice. Now where have I left my tinfoil hat? sigh
