I've heard tales of persistent hacks from nation state type attackers by putting the malicious code onto certain chips like the various ROMs have, but this is the first time I've read this level of detail about someone's attempt that was not funded by a nation state. However, can these be delivered remotely without physical access to the hardware? My threat model is not one where I'm concerned about a physical attack, but because of INTERNET, I am curious about software only hack possibilities.
From page 6 of that (awesome!) article: After some messing around and guessing VSC parameters, fwtool could all of a sudden also read and write the flash of a HD attached to the PC it's run on.
So a remote attacker who already had root access to run fwtool could do it.
I know that Thunderbolt with its direct access to PCIe has been the thought of scary scenarios. Again, all of the attack vectors you've mentioned require physical access, and we all know that it's game over once the attacker has physical access. I'm talking about drive by installs of malicious websites or that downloaded copy of bejeweled that someone's mom downloaded.
Could you clarify "physical access"? Of course the victim device has to be alive on the target machine that runs said hypothetical bejeweled.
Adversaries won't have to physically plug the device in, though, because there are plenty such potentially exploitable devices that are readily available on average computers(desktop or laptop). BIOS ROM chips, gaming RGB LED controllers, motion sensors, power management microcontrollers, internal Wi-Fi or Bluetooth chips, potentially some HDMI monitors, SSDs, HDDs, potentially Blu-ray drives, certain USB drives, gaming mice, GPUs, high end network controllers, BMCs for remote server management... Today even a microSD card runs some sort of software.
I think you'd have to go back to at least Pentium 2 or III days, further back if you want a laptop, to be confident that there is _no_ standalone microcontrollers that can be hacked from OS by adversaries, and that any reprogramming features in components are/can be fully disabled in hardware or at least by OS. Microcontrollers were usually overkill for simple management tasks back in those days, and ROMs either had hardware write enable pins or external reprogramming voltage supply required to do it.
> However, can these be delivered remotely without physical access to the hardware?
Yes, most devices (including hard drives) can have their firmware updated from the host computer. Some newer devices support some form of firmware signing, making it more difficult for a malicious firmware to be installed, but they're in the minority -- most firmware update mechanisms are insecure.
