This has been topic of concern. Quick answer is 'Yes'. However, the rash of Malware currently out there is coming over then Internet. You need to worry more about the sites your visit.
This observation is both my own personal observations as well as the consensus of many others. Don't worry too much about then embedded firmware threat. Right now it is the myriad** or more malicious web sites out there. And yes, I have many external devices from unknown pleas with embedded firmware. But the infections I get come from web sites.
** myriad = 10,000.