The main question to answer here is how likely is some criminal (or other neerdowell), likely to spend the time to target you. These days unless you are a government, Financial institution, or major business, you are more at risk from something that you do. The point of serious attacks is to steal money, either directly or indirectly, (steal data or other information that is worth money to someone that will pay to keep it quiet or returned)
The private individual is unlikely to have access to anything that would make it worth the effort and time it would take to set-up such an attack.
They may try to gain a dollar or two from several million users by a scam, but the whole technique used for this is open to the target who is fooled into willingly give money or information that is worth money
While I (for the most part) agree with this, I do disagree with the one statement in the middle there, as there is one thing to consider here.
The average person is usually an employee for a company or corporation. And the average person is usually less cognizant of security concepts, and does not take as much time protecting their own computer and device security.
If a person works for a corporation that a malicious actor / a group of malicious actors is interested in breaching, then they can quickly and easily become a target for said actor / group to gain access to their system(s), in an attempt to ferret out information that can be used to accomplish their true goal - breaching the company. As there are many different techniques and tactics used, including things like social engineering, it becomes more clear that, while this "you probably won't be targeted' argument may be true, in the sense that the malicious actors may not be (directly) interested in your own money, and financial accounts directly, it's absolutely the wrong approach to take when considering personal digital security. The more information the malicious actors have collated to attempt a breach of corporate systems, the better position they are in to start penetrating through layers of security.
IMO, regardless of if you work for a multi-national corporation, a large company, or even as SMB, and *especially* in today's high instances of WFH situations, now, more than ever, the need for personal digital security is higher than ever. Thinking that "Well, I don't really have anything that they'd want" is fallacious thinking - if nothing else, you may have a friend in your contact list that works for the company they want to target, or regularly converse with someone on an internet forum, like this one, with someone who has ties to the targeted corp. Fishing out that information discretely is their best plan of action.
Plus, if nothing else, once a personal device is hacked, it can also be thrown into the collective we call a botnet. These botnets are almost crucial in the modern age for a variety of purposes that the malicious actors / groups want to carry out.
Just because you think you have nothing of interest for them doesn't mean that it is actually true.
In the computing world, nothing is absolutely impenetrable, and it is a case of weighing the cost and risk of infiltration against the cost of preventing the infiltration. If the cost or risk is high enough to overcome the cost of prevention, then clearly you would mitigate the potential by implementing the preventative measures.
Unfortunately, many companies (and individuals) consider that this is a one time exercise which it is not, it is an ongoing exercise that needs to be undertaken constantly because every time you close a door to the infiltrator they will look for an alternative door that you haven't locked which means you then need to repeat the exercise - at best you will be one step behind the infiltrators, and highly unlikely to ever be ahread of them - but you can make it difficult.
As to the original question, absolutely, it has been done many times in the past and will be done again in the future - connecting anything to anything always introduces a risk, you need to evaluate that risk and make a decision based upon the value and costs - or disconnect completely from the internet, and never reconnect
This, 100%. Back when Calendar of Updates was still in its early stages, we had a lot of discussions about computer security, and that was a point that I and others made, repeatedly.
If it is digital, it can be hacked.
New methods are discovered , developed every single day. Old methods are revamped to work in new ways. Things that were thought to be secure were found to be not so secure. As technology continues its accelerated development track, so, too, do the exploits that are found, discovered, or adapted. There is no "Set it and forget it!" when it comes to digital security - and there never will be, as long as you keep in mind the above quotation.
I would presume that a Government agency would procure 'clean' computers without backdoors. I wonder if a private citizen like me could get such a 'clean' computer.
That is a
very dangerous presumption. Here is why.
We live the digital age. everything has gone digital, or the vast majority of things, anyway, and thus those troves and troves of data have to be protected. Kept safe. At the same time, governments have to play their little spy games and see what every one else is doing, especially countries that they are not overtly friendly with. We spy, They spy. Everyone spies. There is no clean computer - unless you build a computer that 1) is completely, utterly 100% standalone - never plug in a jump drive to it, never bring in data from an outside source, never connect it to an outside resource of any type (that includes Internet and network access) _ and even then it is susceptible to a physical-access based attack. Because it is digital. And if it is digital, it can be hacked. It's a lot harder to on such a system, because you need physical access to actually hack it - but it is still theoretically possible.
Our (I'm US based) government has rules upon rules upon rules on what is and isn't allowed on a device, depending upon the access level you are afforded within the government. We also have dedicated cybersecurity professionals employed to prevent government systems from being penetrated / breached.
But we also have dedicated government officials and employees whose job is to breach other nations' systems. As do most nations on the planet. Our intelligence services have a broad range of tactics used to gather information on a variety of nations, groups, and individuals both domestically and abroad. Every piece of information, every data packet, is analyzed by cybersecurity agencies. Because information is the new must have resource. It's not gold, money, digital currency, etc. - it's about information. Corps want it, governments want it, and even if you are a stay at home parent to young children - someone, somewhere, wants to know that information, for whatever reason.
This was sent to me by one of my teachers awhile back, thought you guys might like to read it or maybe not !
For all intents and purposes, hardware such as the video card, RAM, CPU and motherboard can not get infected. It is the software that runs/communicates with the hardware that can be infected. For the most part, hardware can NOT be infected.
It was mentioned that there is a RootKit that can compromise the system BIOS (Basic Input Output System). The BIOS is a set of low-level routines that works as middle-ware that allows any Operating System to communicate and work with the hardware of the motherboard. In the past the best that a malware could do is erase the BIOS or corrupt it. Recently, in China. a RootKit (which is a trojan and not a virus) was found to replace the the factory BIOS with a malicious BIOS. However, this is not easily accomplished as if a mistake is made it would leave the computer incapable of booting into the OS. Until last year, this was mostly a science experiment and nothing capable was seen "in the wild". As of this year we now know it is a possibility but an extremely remote possibility so one can generally discount that as a possibility.
There are basically two major classes of malware that one does have to be concerned with; viruses and trojans. The term virus is widely misused. most think all malware are viruses. Not true. The overarching concept of malicious software is "malware" for Malicious Software. All viruses are malware but not all malware are viruses. Viruses are a class of malware that is able to "self replicate" or spread on its own means and without intervention. Trojans are malware that needs assistance to be spread. The vast majority of malware seen Today are trojans.
The original concept of a Trojan actually comes from the Trojan Horse story from Greek mythology, in which the Greeks, in order to enter the fortified city of Troy, presented the Trojans with a very large wooden horse - that was hollow inside, and full of Greek soldiers. At night those soldiers existed the horse and took over the city, claiming eventual victory in the war.
The concept in terms of digital malware is similar in scope. The idea is to try to trick someone into obtaining / opening the file so the contents can then be used for nefarious purposes, including but not limited to, more Trojans, viruses, and other forms of malware, similar to how the Greeks tricked the Trojan people to accept the false gift that came bearing soldiers to infiltrate from the inside.
As to what your teacher wrote, well, it's quasi-correct. It's true that hardware in and of itself cannot actively do anything - all processors and such need to be fed instructions in order to perform a duty. But, the majority of processors have attached code, in the form of firmware, that can sometimes be accessed, and even modified (not all firmware is user upgradeable), and those that can be modified can also be modified maliciously, for nefarious purposes. So, in fact, if the firmware is upgradeable, and can be modified to perform nefarious tasks, then, yes, it's splitting hairs, but technically that can be considered as being hacked, and in some circles would full well be considered as the hardware was hacked - after all, if the hardware was developed in such a way that the firmware could never be upgraded in the first place, or at least cannot be upgraded without destroying the actual hardware, then the firmware would have gotten hacked, and thus the hardware would still be able to function normally.
Again, yes, it is splitting hairs - but the vast majority of digital processors that we use have associated firmware. Because they have to - that is how they function.
In order to answer the OP, I will add this bit of humor (though it's also serious): If it is undetectable, then how would we know that it exists?
