It is possible that a user with read only access to a device to issue arbitrary commands (ie 'write' or 'erase firmware'). There is a discussion on the lkml http://lkml.org/lkml/2004/7/30/147
CAN-2004-0813
See bug 133098