This highlights how the sterilization process many cloud providers (IBM in this instance) have is not cleaning out every nook and cranny.<p>They should, audit every bit of firmware (indeed it's odd how the researchers changed one bit in the BMC firmware and no checksum flagged it up on boot) and whilst this is daunting, it isn't that hard as they just have to compare and verify it is the same as the known safe image. Sure they could blindly reflash, but then they would miss any attempted expliotations and equally shorted the life of the hardware by increasing the odds of the flash memory failure.<p>Whilst people see BMC's as one avenue, a server/pc has many components, all with their own firmware and in many cases, own CPU. Be that a network card, graphics card and even keyboards and mice (though the later, not so much a factor in server environments, still a consideration).<p>Security is and always will be a mindset. You need to think like somebody who wants to break into your environment, and then counter those ways. But so many avenues. Imagine your sat at your desk as an administrator and one morning you get a nice shiny, cool top of the range keyboard sent, dressed up as a gift. How many would think, cool, plug it in and feel all fuzzy? How many would audit the firmware on that keyboard? How many would question the random gift at every level?<p>I'm sure IBM are not the only ones who would fall foul of this avenue of BMC exploitation, but I'm disappointed that for me, basic sanity checks in their sanitisation process to decommission and recommission a server are being overlooked.<p>Still, when you hire a car - do they audit the cars management engine firmware? Do they erase previous BT and WIFI connections stored on the radio? Well, from my experience - they don't.<p>Remember - you can pay an expert all the money in the World, but do check their work.