But at the same time, this is Dragos Ruiu, a well-respected researcher for 15 years. If he says he's got an infected BIOS, I'm going to believe him.
My first impression was that badBIOS was an elaborate troll on the part of Ruiu, to make the point that just taking what even a "well-respected researcher" says at face value is NOT good security practice.
There are so many people out there who are delusional...the truthers, the "Moon landing hoax" folks; even Nobel prize winners can be susceptible, just recall Pauling and Shockley. Also, Bobby Fischer. This guy could easily have fallen prey to the same kind of brain eater.
It seems telling that unlike most such paranoid fantasists, he hasn't blamed anyone for this yet. Usually such delusions come with accused culprits and the like. I really don't like how people are jumping to labeling as suffering from a mental malady. Maybe he's in error, but why does he have to be ill?
That's because he isn't making the former. It took a hack  like Dan Goodin to make him look as though he were.
His actual claims, as far as I can determine and as corroborated by the Errata Security article, are: (1) that BIOS firmware, and potentially also built-in peripheral device firmware, might serve as a durable reservoir for malware; (2) that buffer overflows and similar sloppy coding practices in USB HID device drivers can serve as infection vectors; (3) that pre-existing malware can use ultrasound as a (buggy, flaky, slow) C&C protocol transport; and, finally and most controversially, (4) that he has live examples, as yet unpublished, of malware which demonstrates all three of these behaviors.
Claim 1 seems not particularly controversial, given that prototypes have been demonstrated at conferences.
Claim 2 has at least one example in the wild, in that a PlayStation 3 jailbreak has successfully used the exact method described as a code injection vector. The PS3, of course, is a static target; how well the method scales to the PC platform is therefore an open question, but given the apparent relative paucity of implementations available, it seems at least plausible as a useful attack vector for malware.
Claim 3 is theoretically valid and, as another HN user pointed out  in response to my own skepticism on the subject, has at least one strong proof of concept in the wild.
Claim 4, of course, is unverifiable at this time; given Ruiu's provenance in the field, though, I'm with the Errata Security writer in considering that Ruiu deserves the benefit of the doubt, on the presumption that he'll soon substantiate the claim.
At most, then, his claims are 25% extraordinary, and I argue it took a useless hack like Goodin to make them seem even that much so -- to say nothing of all the recent speculation with regard to Ruiu's mental state, which I can only ascribe to a spectacular failure among HN commenters to consider the source -- specifically, the source of that Ars Technica article, whose lack of credentials should be plain to anyone with the time and interest to examine his journalistic history. What in God's name possessed Ruiu to give a hack like Goodin an interview is entirely beyond me, but that's as close to a sign of poor or impaired judgment as I can see.
Really? My first impression, upon reading the Ars article, was that it was sensationalistic, ham-handed slop, emitted by someone who not only didn't understand what the hell he was talking about, but didn't appear to have bothered even trying. Then I checked the byline, and all became clear: Dan Goodin is a hack of long disrepute  , barely competent to regurgitate content generated by others, and certainly not up to anything remotely resembling original analysis or reporting.
The surprise is not that, when given a relatively subtle and complex topic such as this, he made such an utter hash of it that the subject of his interview came off like a paranoid schizophrenic. The surprise is instead that Ruiu didn't know better than to give a third-string jackass like Goodin an interview in the first place.