Re: I'm surprised that anyone is surprised that a Chinese owned or controlled company would do this.
"You cannot just solder a chip on a board to have it spy for you."
well the allegation is that they had modified the board's design. The manufacturer has the gerber files [or whatever has the design on it], and it wouldn't take a lot to edit those to include a "something" to which a new chip would be soldered [or embedded within the layers even].
I understand the tech to embed devices between layers has already been used by Apple, or so I've read. In some cases it might be highly useful to do that [example, power supply bypass capacitors or a resistor array]. Series resistors are often used to abate 'unintentional radiator' signal noise, and so a resistor array conveniently placed between IO pins and their destination INSIDE of the board would be convenient (assuming it could be done).
In any case the tech apparently DOES exist to insert components. So the allegation is PLAUSIBLE and that's fear-inducing enough. Whether or not a manufacturer can be bribed/strong-armed into actually DOING that is another story.
And if it's on an SPI bus between a BIOS ROM and an SoC, such that it could re-program the BIOS slightly during a flash update, or read 'special instructions' in place of the ACTUAL flash, it could be pretty bad.
/me considers Intel's ME being invoked, for example. It might not take a lot of 'extra instructions' to make that happen, nor to cover its own tracks afterwards, and to invoke the on-chip LAN to "phone home"... and listen for commands while running.
which means that a call for a hardware mod to SHUT OFF Intel's Management Engine [with a jumper, let's say] now makes even MORE sense.