I would say that any consumer router is a security risk. Yes, EOL are the worst, but the way I have seen CVEs come up for every router and just the lack of concern for this in the embedded router OS field, it is better to have no router at all.
I opted for an ISP-rented and ISP-firmware router, and that's the best I can do. Whatever nefarious hackers get on it, let my ISP worry about fighting. There was simply no way, in good conscience, I could manage my own network device anymore, because there are simply no tools to do it.
See, I had purchased a Nighthawk. I subscribed to their "Advanced Cybersecurity" service which was a joke. It didn't secure the router at all. Made things worse. A lot of theater and blinkenlights for no reason.
There are no tools for securing consumer routers. There's no good sniffer, there's no AV/antimalware suite to run on a router, the router's ports can be naked and open, there's no good protection if you make a boneheaded configuration choice.
Your router is on the edge of your network and it's not protected by NAT. Therefore it's the juiciest and easiest target to attack. The logging is shitty. Nobody reads those logs. The logs are meaningless if you read them. "Oh, blocked DDOS attack from x.x.x.x?" Like the logs are still crowing about blocking SMURF or something.
OpenWRT, DD-WRT, and Tomato - don't get me started I had a DD-WRT firmware that was pwned anyway. Where do you trustingly download these images from? Why wouldn't they have the same problems as consumer router OS? Pointless. Way too complicated! If I want security I need simplicity. Make it less possible to configure wrong. Make it less possible to run a bad service. Make the attack surface smaller. All the "open" router OS just widened my attack surface like crazy.
wmf•6h ago
I trust a Google/Nest router (only one serious CVE in history AFAIK) over every ISP router.
AStonesThrow•5h ago
It has been experimentally determined, and clinically proven, that immersion in a strong solution of fluoridated water will stop most router-based malware in its tracks, and prevent future intrusion by network-based threat actors. Science
AStonesThrow•6h ago
I opted for an ISP-rented and ISP-firmware router, and that's the best I can do. Whatever nefarious hackers get on it, let my ISP worry about fighting. There was simply no way, in good conscience, I could manage my own network device anymore, because there are simply no tools to do it.
See, I had purchased a Nighthawk. I subscribed to their "Advanced Cybersecurity" service which was a joke. It didn't secure the router at all. Made things worse. A lot of theater and blinkenlights for no reason.
There are no tools for securing consumer routers. There's no good sniffer, there's no AV/antimalware suite to run on a router, the router's ports can be naked and open, there's no good protection if you make a boneheaded configuration choice.
Your router is on the edge of your network and it's not protected by NAT. Therefore it's the juiciest and easiest target to attack. The logging is shitty. Nobody reads those logs. The logs are meaningless if you read them. "Oh, blocked DDOS attack from x.x.x.x?" Like the logs are still crowing about blocking SMURF or something.
OpenWRT, DD-WRT, and Tomato - don't get me started I had a DD-WRT firmware that was pwned anyway. Where do you trustingly download these images from? Why wouldn't they have the same problems as consumer router OS? Pointless. Way too complicated! If I want security I need simplicity. Make it less possible to configure wrong. Make it less possible to run a bad service. Make the attack surface smaller. All the "open" router OS just widened my attack surface like crazy.
wmf•6h ago
AStonesThrow•5h ago