[chithanh]

As the source of the report and the communication between them and Bloomberg remains undisclosed, we can only speculate.

Perhaps there was a Chinese whispers (no pun intended) style miscommunication and while the original source meant "software component", it became "hardware component" somewhere along. Or the attack was actually developed as proof-of-concept but never applied in the wild. The attack is feasible as other security researchers have shown:

https://media.ccc.de/v/35c3-9597-modchips_of_the_state

[detaro]

Yeah, but after Bloombergs repeated insistence that they got it right and stand behind their reporting I'm really only willing to give them credit it something that actually matches what they claimed gets revealed. Because "BMCs are vulnerable" is not a big story, they don't get to claim that as evidence for their wild claims.