Can malware persist in the Pi outside of the OS/SD card?

Question

Please let me know if this question is more appropriate for Security.

What kinds of damage can an attacker with physical access to a Pi cause?

In a desktop PC or laptop, an attacker with physical access might be able to hide malware in, say the devices' firmwares or even the BIOS. Considering that the Pi is built differently from other computers, is there any way to hide malware in the Pi, say in the device's firmware like in those computers?

Say, someone who was targeted by an attacker ordered a Pi online and had his delivery intercepted and compromised. Can an attacker install and hide malware somewhere on board the Pi itself?

Answer 1

If you have physical access to a computer, including Raspberry Pi, you do not have any chance to avoid attacks. The attacker can just do what he want with the hard- and software, even simply replace the whole Raspberry Pi with a prepared one. He has lots of time to prepare a RasPi before hand, and then replace it very quickly.

Even if you put the RasPi into a safe doesn't help because "physical access" means that the safes door is open.

You may consider to install a checksum program like samhain to monitor new or changed software. But an attacker will checksum its malware as accepted software with that samhain installation after installing the malware so the samhain monitor will not alert it.

Outside using the SD Card on a Raspberry Pi 4B you can reprogram its Boot EEPROM. On other RasPis you can program the OTP (One-Time Programmable memory).