Ha!
You think hard disc firmware is scary. Have a look at that iLO or iDRAC or whatever on all your production servers and wonder to yourself:
"WTF is that doing at the moment?"
Hint: it can pause execution of its host, dump any range of memory, registers etc, all without the host knowing what's going on. Its also a Linux box with a full toolset running in plain sight. vPRO covers many desktops in a similar way and hard discs for the rest.
Trojan-tastic