The invisible hardware advantage
One reason for doubts is that it should be easier, more deniable or more flexible, or all of those, to introduce spy- or malware into soft- or firmware than to use a physical addition which can be discovered, potentially attributed and analysed.
That said, it is counterintuitively true that a hardware spy may be more effectively hidden than a software one. A software intruder cannot be permanently dormant and, without a hardware element, has to run somewhere on its host's substrate. Look hard enough and long enough and you'll find it, even while it isn't doing mischief. Its code has to execute somewhere.
A hardware intrusion, on the other hand, can run on its own substrate, completely invisible until and unless it gets a wakeup call, or a timer activates, or some other conditions are met. (It may, for example, passively observe traffic for days or weeks before deciding that its host is likely in production and working hard.) You might very well program the thing to sleep for the first n hours or days after power up, for example, sacrificing some data gathering time for undetectability.
It's also been argued that it would be more logical to build the nanobugs into existing chips ... but that is not necessarily so. Arguably, chips are where you'd look first, and their small size makes investigation relatively easy. Whereas, introducing a nanobug into the layers of a board—perhaps right underneath a ground zone or a heatsink, where x-rays will be fuddled—might make perfect sense. A mobo offers a lot more real estate than a chip for your visitor to hide in.
If it were not for the fact that the chubbier electroytic caps tend not to be attached to data lines (for obvious reasons), I would have thought them an excellent hiding place, given their in-plain-view innocent appearance. Maybe investigators should look for electrolytics that are not doing their job, and, on a close inspection, squat in proximity to subterranean data lines? Not so difficult, if you're a board manufacturer, to slip a few extra whisper-thin leads from the bottom of a component into the third or fourth layer of a complex board, surely? Make them fine enough and you might not even notice them when you yanked the component. (Also, as standard non-tantalum electrolytics, you could self-destruct them without suspicion. The only component you'd expect to occasionally blow its own head off.)
I'd also point out that once the technology has been cracked—once you, Black Hat, have successfully built and tested a virtually nanoscale bug—you may well look for all sorts of hosts: why be confined to motherboards, when a tailored version could go inside an RJ45 plug? Why go to the trouble and expense of finagling them into a run of 10,000 servers when you could sneak them into routers, switches, sockets—heck, even into cable runs?
I cannot speak to the veracity and completeness of the story itself: but if it is not true, I'd have to ask— whyever not? Given their appalling track record, the Chinese absolutely would do this if they could. I for one am guessing they can.
PS: Putting nanonbugs in phones has also been suggested. But why not put them into even smaller things, especially those which can become indirectly connected? Why not headphones and watches? Say, anything that can talk Bluetooth. Let Fred Contractor dutifully leave his phone in the Faraday cage at reception, and the earbuds in his pocket can do some light data harvesting while he wanders the building, only to phone home when they are connected for some Buns&Noses relaxation on the commute home through Maryland?
Biting the hand that feeds IT
