Yeah. I'm just wondering that myself. If you have USB access you can probably also reach the power button, in which case - short of full disk encryption - you're pwned anyway.
Not sure I buy the hacking model of distributing USB disks with rootkits on them - yes, I've seen Mr Robot - I know that it's possible, but it's a bit specialised and doesn't scale well. Plus, I presume the stick has to be in the drive when the machine boots, no? It's not like if you plug in a USB stick claiming to be a JTAG interface it will somehow magically bypass the OS USB stack and go straight to the lights-out chip. That might fly with firewire but USB has only a single master.
In short, nice hack and Intel deserve a kick up the arse, but I don't see this being a major risk - unless it works without booting the machine, and with the software-simulated USB over XHCI as someone posited above. Then we're all fucked.
Biting the hand that feeds IT
