They don't need to, if they can put malicious code into the hardware, and bypass the software stack entirely.
They don't need to, if they can put malicious code into the hardware, and bypass the software stack entirely.