Please let me know if this question is more appropriate for Security.
What kinds of damage can an attacker with physical access to a Pi cause?
In a desktop PC or laptop, an attacker with physical access might be able to hide malware in, say the devices' firmwares or even the BIOS. Considering that the Pi is built differently from other computers, is there any way to hide malware in the Pi, say in the device's firmware like in those computers?
Say, someone who was targeted by an attacker ordered a Pi online and had his delivery intercepted and compromised. Can an attacker install and hide malware somewhere on board the Pi itself?