>2) the USB storage provided by network card can still contain malware,

That seems unlikely given that "malware" is signed by Microsoft Windows Hardware Compatibility Publisher.

https://news.ycombinator.com/item?id=42680282

> 1) downloading Windows exe files from Chinese forums

VMs exist. I highly doubt the author daily drives windows XP.

> 2) the USB storage provided by network card can still contain malware

Well yes, but so can any other drivers. Downloading from the manufactures website isn't any more secure. Even signed drivers have been caught doing nasty stuff.

> 3) or can be accidentally booted from

True, but again this is quite a convoluted, noticeable, and unreliable way to compromize a system. Just injecting a handful of keystrokes will do it, and once the dead is done, the device can hide all evidence of malicious intent.

> 4) it has universal USB controller, so can become any HID device: keyboard, mouse...

This isn't wtf: a lot of devices nowadays are just microcontrollers hooked up to a USB connector. Quite a few normal USB drives can be reprogrammed to act as keyboards, and be used to get up to all sorts of shenanigans, including ones made outside of China.

It proves it might be possible to backdoor it. Maybe.

I don't know of any modern systems that will execute anything on a newly inserted drive, nor boot from an external drive in the default configuration.

So we are missing a couple of things. First, a vulnerability in the OS/system. Second, an implementation of that vulnerability in a device like this.

Should this design be phased out? Perhaps. There is relatively little difference between not populating the flash memory part of the board and a proper network-only implementation.