The problem of malware being remotely added to devices like routers and hard drive firmware can be stopped utterly by having a hard switch (or jumper) that disables the "write to flash" signal.
And the ME (Management Engine [1]) rears its ugly head. Even Google Chromebooks with a "write protect screw" do not actually wire the write protect screw to the hardware "disable writes" signal on the flash.
And it's because the ME is continuously writing stuff to its region of the flash and the ME cannot be disabled. Such a security fail!
Assuming these guys succeed the ME ceases to become a problem and the SPI chip can finally be write protected.
There are rumors of "back doors" that would let an attacker bypass the "disable writes" signal, but that can be countered by using a large number of manufacturers when sourcing your flash chips. Hint: SPI flash chips can be had from many places.
While it is still possible that some of the chips will have a back door, either the back door will be too hard to create a viable attack for, or users can verify the contents of their flash. (SPI flash chips are too simple to run their own cloaking algorithm.)
Users can take defensive measures if a widespread attack is detected. Defensive measures might include finding out which manufacturer produces vulnerable chips. By avoiding a flash chip "monoculture" it would apply the collective power of the internet to preventing a flash back door, thus making the write protect line an effective security measure.
As long as you mean "write protect" in quotes, because the write protection is handled by circuitry outside the flash chip itself which then means that to be sure your flash is _actually_ protected you have to verify that additional stuff.
Yes, I miss jumpers and write-protect. Used to use them everywhere. Seems like nobody does these days and I bet most advertising it are software implementations.
