OS X 10.10 introduced a simple but catastrophic security hole that gives unauthenticated users sudo access without an administrator password. Needless to say, this allows all kinds of mischief.
This exploit can be leveraged across Thunderbolt connections (fortunately, not USB connections), provided an attacker can get physical access to a Mac and plug a malicious Thunderbolt device into it. With sudo access, you can take any measures, up to and including a malicious firmware update.
