I tend to think the OP asks a reasonable question. Sure 3 letter agencies may be the only ones using this kind of malware now, but it won't take long for criminals to get this kind of technology. It isn't rocket science. All you need is some physical devices hooked up to a fuzzer and/or copies of the firmware binaries to reverse engineer. Everything I know about firmware coding is that it is at least as buggy as regular software code, only its never security tested and rarely if ever patched. I don't see any realistic way to audit the code in firmware unfortunately. Unless you physically pull the chip any resident malware can always misreport loaded code to hide itself. The only reasonable solution I can think of is to dump EEPROM altogether and go back to ROM.

There are utilities for flashing such things as a eeprom and BIOS and we use a lot of that technology in our phones. Some hardware such as network cards require that you have the correct patch cables and it connected to the correct hardware to actually flash it. I do know that with some of the older network cards or older routers that you need to have a special hardware that can cost upwards to $1100 to $10,000. Regarding the bugs on such devices you would probably encounter, threading issues and heat. Not always does the firmware work well with the hardware especially new hardware that has had few trials. As many of these devices are proprietary you have to wait excess time for an update and sometimes updates make new problem, i have experienced such with a sprint 4g box, manually changing the software required simple techniques to alter sku number and ensure file sizes were at a certaiin size. That is only step one to changing other storage on device such as radios, any agency with the correct sku and serial numbers and other info needed should be able to access a standard consumer device, if they have a reason to watch you or for any reason based on antiterrorism laws the companies that maintain and issue these devices are obligated to comply. Yes, by design your devices are supposed to gracefully fail, and be serviceable. We may not always trust our servicers but service has a need never the less

Agreed. "Never mind the NSA ... they are the least of our concerns." We now live in "an Internet of things," and all of these "things" are programmable. We have allowed the Internet to intrude completely into our lives, either "for convenience" or simply because someone else already did it "for" us e.g. when they sold us a phone. Even as people become more conditioned to "the ubiquitous Internet," they know less and less about it. There is nothing more risky than "assuming" that you are safe, when you don't really know and when you certainly are not given the means to know.

Ed Snowden didn't really tell us anything that we didn't already know: the signs were by then pathetically obvious and they had been recognized by a great many. Ed merely confirmed their suspicions ... and he used a rather ridicoulous lack of security within a so-called "security" agency to do it. Nevertheless, the vulnerabilities that he talked about (so far ...) really are nothing new, and likewise it is no "secret" that they were being exploited, albeit in the holy name of "homeland protection."

We therefore should rightly be far more concerned about the others who, we can be quite certain, are also exploiting the same vulnerabilities ... the same public ignorance ... the same public naïvité. Because this thing that we have created ... in the name of security, in the name of convenience, in the name of marketing, call it what you will ... is a world-wide tinderbox loaded with matches and fireworks and more. When the capacity exists for malfeasance to occur, it will occur, because people are b*stards when they believe that they can get away with it.

We read a lot about "security theater," and this might be the most serious threat of all. Right now, you can mutter the magic word "nine-wun-wun" in the USA, and billion-dollar doors will open wide, all behind the closed-doors of Secret. But real security, as we also know, does not come from this "obscurity." Yet, why on earth would any wannabe government contractor care about all this, when "all this money" is right there for the taking, and no one will even know that it is being spent, let alone for what. Well, we do need to be the contrarians here. We do need to think about that, because real security is not glamorous, whereas this sort of thing certainly is. We rejoice at the incredibly strong doorways we are building, and someone reprogrammed the nearby wall and waltzed right through it, right underneath our nose, because we had a preconceived (and glam-driven) notion of what "secures" us.

1 members found this post helpful.

And therein perhaps lies some hope: Snowden's confirmations at least made mainstream media. For a while. Hence broadening awareness amongst previously naive masses. No, whether anybody will give enough of a damn to demand more accountability from our governments is another matter entirely.

But I am encouraged, at least somewhat, when I read posts like yours. Good analysis and summary.

Well, I think that this level of (inter)national awareness certainly is growing. The upcoming generation of world citizens also grew up with this stuff, whereas most of the "national security apparatus" that we see today is (still) a product of World War II and its for-profit successor, the Cold War. Their point of view is in some ways much more mature about the long-term import of such things as this. They don't see, say, "Russia" as a Red Menace hiding behind an Iron Curtain. The Berlin Wall didn't stand a chance anymore. Those forms of totalitarianism have become obsolete. (No, I'm not saying that it's gone, nor that it ever will be. Also, there are plenty of people in positions of power who would love to replace it with a digital version, so as to further profit thereby.)

Actually, I think that the biggest upcoming development, that is (I think) just on the horizon now, will be something that knocks down a key source of much of this military-industrial madness: the elimination of the United States Dollar as "the World Reserve Currency," and, by extension, of the very notion that we must have a "World Reserve Currency" ... which we actually don't anymore. Currently, the USA "'borrows' from itself" more than $250M USD per hour. When the rest of the world community finally comes to its senses (as China already is) and says, "screw that!!", we will be on our way to a very different set of world-community relations. At very long last. The USA won't be able to continue to sail its fourteen aircraft-carrier battle groups anywhere in the world that it wants, there to do anything that it wants, because it won't be able to afford to do so. The US, like everyone else, will have to get its money the old-fashioned way ... they must earn it.

(It will have to do very mundane things in "the only land left in the world where the US Dollar is still worth a Dollar." Like, uhh, "make things." Or, actually provide health care for its citizens, instead of propping-up rapaious private companies who make 'generous contributions' out of all that 'borrowed' money. Boring things. Like that.)

A major reason why you've got this "surveillance state," and local police turning into SWAT teams, and all that present nonsense, is because: there are vast amounts of money to be made in it, and because every bit of that spending is Top Secret or better. The cats are away. You're getting insanely rich. The nation's and the world's accounting is going to hell, but why should you care? You've got your tulip-bulb!! Sell 'em another million disk-drives, another billion miles of CAT-5 cable. Vacuum up all the data in the world, so that "top men" in the US Government can study it someday.

Except the upcoming gerneration you reference is 1) the culimination of a decade or two of "the dumbification of America" (yes, a few are sharp cookies, but I'm referencing the average), 2) have been raised to accept "The Patriot Act" as the way things must be, and 3) doesn't give a damn about being tracked, etc. as long as they can still get their facefart opium.

Yeah, color me skiptical. But, although related (because everything is connected to everything else), we're getting a bit afar of the op's topic.

What does the "F" in UEFI stand for? I don't think it stands for "silly!"