> Trusting a random vendor, even on your home network, seems crazy.

Random vendors who promise unlimited free streaming, no less. Even if they're pirating the content, video streaming infrastructure still costs good money to run, so they're obviously making up for it by monetizing the boxes in some other way.

You should not assume that no one on your network is compromised. This is part of the thinking behind 0 trust.

Consumer vendors for routers/firewall combos are trash, but I think they'd go a long way in helping people by having an easy to turn on IoT vlan.

Matter devices run without internet access (at least this is the whole point of the spec, some manufacturers have fewer features without using the cloud based app, but to be Matter certified it must run locally to some extent), so blocking the vlan should be okay with a lot of IoT devices.

Random dodgy streamer box does need internet access though, so I think at best having a vlan (probably one just for it sadly) that doesn't have access to the rest of your internal network would be the only realistic solution. Still won't help prevent it from using your connection as part of a botnet though. It's a hard problem.

Unfortunately users are very adverse to learning anything about how their devices work, so I don't have any idea what can be done about the problem.

Maybe we have to rely on the state going after sellers of such pre-compromised devices? I'd say hold the users somewhat liable, maybe a small fine, when they are part of a botnet, and wave them when it's a "legit brand" that gets compromised outside of the users control? Pressure would need to be done on "legit" consumer manufacturers to actually provide security updates to somewhat older devices and not abandon them the minute the latest model is released.

Use multiple VLANs and SSIDs, and only punch holes or route between them (and to the WAN) if/when absolutely necessary.

It does make it harder to use these things. Some things may even become impossible to use effectively.

The simpler method is just to never trust anything, ever, but that's just a long-winded path that asymptotically approaches having a completely disconnected (airgapped) home.

But the usual default method is even easier. Just use the stuff on the default WLAN that is provided by the ISP like a commoner, have no local services at all (what homelab? what file server? what printer?), and fuhgetaboutit.

So what if the botnet spreads from the Android TV box to the light bulbs? As long as all of the things keep performing their primary roles (rule #1 of a successful infection: don't kill the host), then the bliss of ignorance will be complete.

That's a little over reaction.

Most wifi routers have a guest network mode, that does the first few good steps.

Devices on the guest network can't see or ping devices on your main home network.

But... if appropriately configured the home network should be able to see the devices on the guest network.

There's a few great guides out there that help plan out your home network for such undertakings.

You can use a diy mini pc with OpnSense for a router along with a dedicated AP box... most commercial AP boxes can configure for separate SSIDs and VLAN configurations... this can allow you to monitor, configure and block certain access to the devices on your network into different trust groups.

Also, just having a pihole configured for your dhcp dns helps a lot with some traffic, but it can interfere with some legit services (CBS was a really bad one in my experience).

That said, if you don't have the technical skills or desier to learn these things... as you said, don't buy anything that gives you "easy" or "cheap" access to pirate content. It is pretty crazy.

I think the fact that regular stores are now stocking high-seas set top boxes is more proof that streaming is too overpriced now and media companies are too greedy.

I use vyos instead of OpenWRT, but I'd presume OpenWRT can mirror a port? It'd be better to do it on your switch of course. But you could mirror your traffic going across the LAN-WAN barrier and direct it to a security onion install, it's an opensource IDS. It has pretty heavy demands, but traffic analysis is not an easy, computationally cheap task.