It's not theoretical at all. You can flash firmware updates from userspace on pretty much any modern x86 machine but in practice, UEFI bootkits are almost good.
If you want a case study, BlackLotus is a good starting point.
good answer, I will read more about uefi bootkits and blacklotus. It also reminds me that recently bootkitty uefi bootkit was in news. i saw a video about it a couple days ago.
Is it just from userspace you flash these firmware (other than boot rom)? Or can you flash externally as well if you have physical access?
This also means that just like you avoid a lot of malware by going to linux instead of windows which is what all hackers build their malware for, you can probably also avoid a lot of these firmware bootkits by flashing coreboot instead of having UEFI.
Both userspace or externally, including the boot ROM, from Windows or Linux.
You could flash coreboot and run your own secure boot chain etc on one machine, but this is absolutely not something you can do at organisational scale.
That said, only individuals worried about foreign intelligence services need to incorporate this into their threat model.
How would it be done externally? Is it done same way as flashing the boot rom? You just need to know where the chip is for the other components? No 0-days needed? Or do you need a 0-day to do this? Is that why you think only foreign intelligence agencies are the ones who can do this?
Also assume that the bios is password protected and it's configured in bios to not boot from a USB drive.
These are the type of vague answers i said i didn't want because they are not helpful. How do i know if you really know what you are talking about? No explanations or links to sources. "depends on the device" is almost not an answer at all.
BIOS password does help if they need to be able to boot from usb drive to flash firmware. Or do you know another way? Again, not talking about boot rom.
> "depends on the device" is almost not an answer at all.
If you ask extremely general questions, you're going to get extremely general answers. This is a discussion board, not a personal research service. You need to go and figure this out for the specific hardware you are concerned about.
> BIOS password does help if they need to be able to boot from usb drive to flash firmware.
That's the only circumstance in which it helps, but that's rarely necessary on modern machines.
Is it just from userspace you flash these firmware (other than boot rom)? Or can you flash externally as well if you have physical access?
This also means that just like you avoid a lot of malware by going to linux instead of windows which is what all hackers build their malware for, you can probably also avoid a lot of these firmware bootkits by flashing coreboot instead of having UEFI.