We know that they intercept-and-tamper orders made by high-priority customers. No word at present on hardware more generally. I, for one, don’t exactly trust a gigantic blob like the UEFI firmware; but I’d also suspect that the NSA doesn’t want any really good tricks getting baked into every $80 motherboard shipped worldwide. The little people are already 0wned to hell and back through the online service providers, so wasting good hardware/firmware exploits on them seems a touch… prodigal.
It’s possible that I’m too optimistic, and they really have that many subtle exploits available that they can afford to splurge; but their deployments are presumably counterbalanced by a desire not to have 3rd party security researchers or hostile governments discover their exploits, which is something that becomes much more likely the more widely they are deployed.
