Peripheral devices have their own storage dark_dragon. Sorry, but you are wrong.
Not just the BIOS, but other peripherals as well. They have software, they can be written to. Read Hoglund and Butler's "Rootkits" book, okay?
Ok, I think I see what you mean.
Something like this
Firmware rootkits et al. Theoretically, you could even have a virus in your laptop's battery that would make your machine overheat dangerously. (Mind you, sony's batteries don't need a virus to explode)
However, I remain extremely sceptical. They're at the proof of concept stage in security labs. To have such a beast running around in a home computer would be... extremely surprising.
I would give good money if you could show me a virulent firmware virus/rootkit. In fact, I expect that the first exploits of this kind will be sold for very significant sums. The development costs would be insane compared to the usual "click here for more pron" approach. It would take a concentrated effort from some very skilled hackers. The crazy firmware diversity is one thing too. There would be no One OS to bind them
here. Your Exploit would have to run on a particular chip of a particular manufacturer which is installed in a subset of a particular device. You'd have to circumvent firmware authentication (which requires intimate knowledge of the particular chip you're working with, knowledge not exactly easy to come by.). Then you'd have to know the system features inside out to do anything at all besides corrupting the firmware. Hell, lots of genuine
firmware update fail (I am a case in point.). Those are updates using the manufacturer's own tools, rather than reverse engineered ones too. And
you would have to get system-level access in the first place (compared to the rest this seems easy.).
It would be masochistically
hard to do. Especially if to do all this you've already gained complete access.
I expect that the kind of people capable of writing virulent firmware rootkits are not going to want to get family pics from a home pc. They'd be running targeted attacks against hardened targets with specific goals in mind. Getting credit card details would be trivial if you can do all this.