[jamoes]

On the minus side, they can install malware on your machine without your knowledge (even if your disk is encrypted).

[walrus01]

Or a hardware based keystroke logger.

[ploggingdev]

Source? How is it possible to install malware when the disk is encrypted?

[kbart]

VGA, Wifi module, Ethernet controller, BIOS (UEFI), power controller, heck, even battery all have chips inside them capable of running malware as well. It's naive to believe than NSA&co doesn't have its fingers on such techniques (remember Cisco devices interception). Modern laptop/PC is ridden with micro "PCs" all over.

[photon-torpedo]

There have been some reports about UEFI-based malware, which can hook into the OS boot process. I guess this could also work even if the disk is encrypted. First Google hit for "UEFI malware":

http://www.pcworld.com/article/2948092/security/hacking-team...

[throwaway7767]

You modify the bootloader to grab the password on next decryption. The bootloader is in cleartext on the disk, otherwise the machine couldn't boot.

More advanced versions would involve modifying the BIOS to add a SMM-mode hook. That way the malware runs completely outside the view of the OS. Alternatively, any device with DMA access could have its firmware altered to read sensitive information from memory.

Physical security is an unsolved problem.

[ryukafalz]

>You modify the bootloader to grab the password on next decryption. The bootloader is in cleartext on the disk, otherwise the machine couldn't boot.

Mine isn't - I have GRUB installed to my BIOS chip, and I decrypt the single encrypted partition from there.

>More advanced versions would involve modifying the BIOS to add a SMM-mode hook.

That one could still get me though, yeah.

[bdg]

Drive firmware exploits have been around for long enough you can do it at home.

[jhlgkhkhil]

In one of the flash chips? Or a hardware module?