Just how much american spy stuff is built into intel chips?
Loads
Have fun reading about the Intel Management Engine (IME) - that's an actual bit of silicon with god-rights to most of what's going on in your computer. Part of the reason the last thing you'd do to intel machines is start adding extra chips to motherboards when software attacks on the existing silicon are generally much less visible, and attacks on the IME black box might be functionally undetectable.
AMD has pretty much the same sort of deal BTW, albeit licensed from ARM (and called TrustZone) rather than developed in-house. It's had less in the way of bad press than IME but it's also received less scrutiny.
Aw, this was such a fun story. A shame it turned out to be cobblers.
Well, I've been highly sceptical about the story from the start, but I'd be wary of calling it cobblers wholly - it's exactly the sort of thing an evil nation-state
might do given access to the hardware supply chain, but I'm reasonably certain there's much easier ways to go about it by exploiting the software side of things. With a trojan chip you can yank out the board and go "look, there's a trojan chip!" but if someone monkeys with the firmware of the NIC to send out CnC messages interposed between regular traffic only on the nights of a full moon, you will have a high-impossible job of spotting it unless you've got some proper IDS running - or just refuse to have your computers talk directly to the internet.
There is speculation that backdoors exist in some FPGAs and ASICs. Then there are the concerns raised recently by ‘C’ and others regarding Huawei/ZTE (valid or politics or a bit of both?). Certainly some apparently have backdoors (but put here by who and for what purpose - the vendor for debugging, but even those could be abused). Possibly TAO and similar exploit these but they most definitely exploit holes in other vendor hardware and software all the time - there’s so many to choose from.
Sadly there seems to be a new backdoor uncovered monthly. Cisco have had several this year (mostly in software), and of course there's been the barrels'o'fun meltdown and spectre vulns exploiting hardware fundamentals - and those are just the accidental ones. As the proverbial infosec litany goes, as a good guy you have to win every time in order not to get hacked, but the bad guys only have to win once. And most places relying on tech haven't the faintest idea, or even care about adequately securing stuff even on what a tinfoil-loving IT professional like myself would call a reasonable basis.
For example, there’s a repurposed banking trojan doing the rounds at the moment, causing a lot of damage by exploiting security holes that the puzzle palace discovered, used to keep to themselves to compromise specific targets, but eventually had to tip M$ off about when they realised it had escaped into the wild and was being abused by criminal gangs.
A great deal of malware recently has been based on 0day vulns that have been discovered by various nations and kept hidden (instead of telling the vendor so it could be fixed or mitigated) so as to be weaponised more effectively.