Firmware updates can be good, but only the user with physical access should be able to install a firmware update. An example of how this might be done may be: There is a ROM firmware (always read-only) and EEPROM firmware (read-only except during firmware upgrade operations); the ROM firmware only checks a switch (which is a physical hardware switch can be set only by the user) and if set, will load the data on the DVD (or CD or CompactFlash or whatever other media it uses, but specifically not internet) as a firmware upgrade into the EEPROM; if the switch is not set, then the EEPROM is read-only and nothing can upgrade it, not even a custom firmware. (The user could also physically open it up and replace the EEPROM chip themself, if wanted, but this would normally be unnecessary.)