With additional hardware many things are possible. Physical access allows anything to be done ... an encrypted pen drive only you have physical access to is a better bet for data, boot a system from a live CD or pen drive you keep with you also. But BIOS rules - code is executed before reading any media you add. If hardware can be added it only needs to monitor and report - without using existing channels on the hardware anyway. My advice is fix the physical access or work out your own method of identifying physical access being gained rather than trying to detect changes reported on a system you can't trust ...
... at the moment you are doing the equivalent of trying to detect a root kit while you have booted the system by normal means rather than from trusted media ...
That sounds like the best possible advice.
Without a method of restricting physical access, you're going to be fighting an uphill battle.
Two months ago, I researched picking padlocks. I was shocked on the abundant tutorials and videos on picking and the ease of purchase and low cost of picks. The small Master combination luggage lock I used on my briefcase and a medium size master combination lock on my storage unit can be picked by using soda can tab. I am switching back to locks with keys. I ceased keeping one set of keys in my purse and the other inside my car. They use a slim jim to break into my car and steal my keys, appointment book, files. Instead, I am keeping the keys inside my money belt and wearing the money belt.
Yet, very hard to keep every thing locked all the time and to remain safe. I relocated, rented an apartment and returned to find my front door open and my brand new Acer Aspire One netbook hacked. I returned it within the fourteen day return policy. Yes, netbooks are cheap but are not easily replaceable as tablets have caused the demise of netbooks.
Therefore, I am trying to ascertain how they have complete remote control of my netbooks even when I am not connected to the internet. I removed the combo wifi/bluetooth card. Diagnostic tools no longer detected a wifi module. Yet, bluetooth is still being detected. Why? If bluetooth was completely removed, Linux would not detect a bluetooth module. Do netbooks have two bluetooths? Where would it be?