Really sad state of affairs...
... when assembly (machine code) is considered nation-state level hacking. Security by obscurity not.
Yet another set of shivers is running up spines at Cisco, with a researcher from Grid32 claiming that “rooting” the company's IOS firmware isn't as hard as people think. The issue of compromised firmware arose in August when the company first warned that its ROMMON firmware images could be replaced with a compromised version …
This inflation of the required resources to 'Nation State' level has been going on for years. It is readily apparent to anyone who has actually developed software that all it needs is the will and a dedicated small team to come up with quite sophisticated solutions. It could just as well be a criminal enterprise, a dodgy Security firm or just a bunch of disgruntled old farts doing it for fun.
By now there must be hundreds of thousands of ex-developers out there with the required skills, just needing the motivation (and lack of moral/ethical sense) to do something with them.
They need to start looking at people who have a track record of not caring too much about other people and who know the skills and availability of this untapped resource. I'd start with HR departments.
Indeed. All those claims about something being vulnerable but "requiring nation-state resources" to attack - only to see some twenty-something coming forward at a security conference with having thoroughly pwned the thing using only $123 worth of mostly off-the-shelf kit - are getting rather annoying. All you need is sufficient incentive, available technical data (or the hardware itself) and reasonable skill in the art...