IoT security is generally terrible, but the fact that consumer routers are essentially unaudited black boxes processing all your network traffic is genuinely concerning. Most people have no idea their router firmware hasn't been updated in years and is probably running known CVEs. The supply chain trust model for networking hardware is broken.

Fritzbox brand and possibly others updates itself automatically by default. ISPs often also control the devices they ship to clients and install updates as part of a "fleet management".

There are countless routers in between you and your destination which you can't audit anyway. End devices long since consider the routers to be compromised and have everything verified and encrypted in transit. So unless your router is participating in a DDoS or mining bitcoins it doesn't really matter how secure it is.

Most people only care about how strong the signal is when buying a router, but almost no one checks if the firmware is outdated, or bothers to change the default password or disable remote access. And manufacturers rarely remind you either, so over time it just becomes a hidden risk.

Most people are using routers given to them (and configured by) their ISP... so really they are blackboxes connected to an upstream blackbox for most people.

I am always surprised by how many people give me their ISP chosen router name and ISP chosen password when I connect to their WiFi. I don't want to give my ISP that much control.

>IoT security is generally terrible

I think IoT demands a rethink of security.

Like sometimes I want IoT devices to just bloody connect, and if I have to use a published exploit that circumvents online only requirements I will do it.

But some people do genuinely have use cases for cloud speaking IoT stuff.

Really I think the device should ask at first run, and then burn in your response and act only in the selected mode. If you want it to require Cloud MFA, thats an option, if you want to piss python at your lightbulb to make it blink, then thats where it lives permanently.

A lot of them violate the GPL and BSD licenses too.

The stuff on the shelf, sure, but you can always go 'prosumer-grade' like Ubiquiti or Mikrotik for hardware that actually receives timely updates and has competently written firmware.

Personally I treat any ISP provided (or big box store) router as compromised anyway. I install my own router as a replacement, or if not possible, just as the sole device downstream of it, and connect all my stuff to my own router. And I use Tailscale + other routing DNS servers, etc.

Nitpick but "known CVEs" doesn't mean a vulnerable device. The majority of CVEs in your NAT box sw (aside: NAT is not routing) are going to be things like "insecure temp file handling".

Your point of course stands, the situation is terrible.

IOT - "S" stands for "Security"!