Home routers targeted again/still

[ripcord]

The simplest way to get better quality would be to introduce some level of liability on manufacturers. If they could be sued for damages for a period of years, then they would have an incentive to maintain their code.

 

[Quattro Pete]

Yeah, those things had pretty good specs when they were first released in 2014 (1GHz dual core CPU, 256MB RAM, gigabit ports) which made them very popular choice for installing third party firmware. I first bought a refurb one for cheap in 2018, ran it 24x7x365 for 5+ years, and when it finally took a dump I replaced it with another refurb one. With Fresh Tomato, it was one of my favorite home routers of all time.

And Fresh Tomato is still actively being developed/updated. Latest release is 2/15/2026.

Inspired by this thread, I dug up two of my old routers (Netgear R7000 and Asus RT-N66U) and upgraded them both to the latest version of FreshTomato, to be used for temporary backup purposes, in case my UDM SE takes an unexpected dump. I'll use one as a router and the other as an AP.

Sadly, if UDM SE is down, I wouldn't be able to use any of my Unifi APs, unless I unadopt them and readopt them on a standalone Unifi Network Server, which I could do, but even that would only be a partial fix since my cameras wouldn't work right either. Anyway, the old routers should hold me over until I get another Unifi gateway.

R7000 seems to be the most popular router running Tomato:
https://anon.freshtomato.org/

 

[alarmguy]

Inspired by this thread, I dug up two of my old routers (Netgear R7000 and Asus RT-N66U) and upgraded them both to the latest version of FreshTomato, to be used for temporary backup purposes, in case my UDM SE takes an unexpected dump. I'll use one as a router and the other as an AP.

Sadly, if UDM SE is down, I wouldn't be able to use any of my Unifi APs, unless I unadopt them and readopt them on a standalone Unifi Network Server, which I could do, but even that would only be a partial fix since my cameras wouldn't work right either. Anyway, the old routers should hold me over until I get another Unifi gateway.

R7000 seems to be the most popular router running Tomato:
https://anon.freshtomato.org/

Does fresh tomato automatically update? As we know all routers have flaws that get exposed.
The last update to a security flaw was 4/15/2025
https://app.opencve.io/cve/?vendor=freshtomato

 

[Quattro Pete]

Does fresh tomato automatically update?

As far as I know, it does not, and that's by design. It's firmware for the nerds, with a ton of functionality that gets changed/updated often, so the developers don't want to force it onto you until you've had a chance to comprehend the changes. Some updates are very major, advising to wipe NVRAM and reconfigure from scratch, so it isn't exactly for a typical user who wants to set it and forget it.

As we know all routers have flaws that get exposed.
The last update to a security flaw was 4/15/2025
https://app.opencve.io/cve/?vendor=freshtomato

That seems to be outdated info.

Latest release was 2/15/2026 and addressed many CVEs:
https://github.com/FreshTomato-Project/freshtomato-arm/blob/arm-master/CHANGELOG

They typically release a new version every quarter.

 

[Quattro Pete]

And for S&G, I just installed the latest FreshTomato on Asus WL-500gP v2 with a whopping 8 MB of flash. This is a router from 2008.

 

[Brons2]

ISPs should disable customer internet access for anyone with a pwned router. $0.02.

 

[Quattro Pete]

ISPs should disable customer internet access for anyone with a pwned router. $0.02.

How? ISPs do not know what CPE sits behind the modem.

 

[OVERKILL]

How? ISPs do not know what CPE sits behind the modem.

Cogeco here in Canada watches for "known signs of pwn3d stuff" and does exactly that, you get an e-mail, you get like 2 weeks to remedy it, and if you don't, your net gets shut-off.

 

[Brons2]

How? ISPs do not know what CPE sits behind the modem.

Their security toolset would tell them where malicious traffic was coming from on their network. IOCs (Indicators of compromise) would be present.

That said, as you imply, it would not be immediately evident which device behind the router, or the router itself, was compromised.

 

[PandaBear]

ISPs should disable customer internet access for anyone with a pwned router. $0.02.

It cost a lot of money to detect something.

 

[uc50ic4more]

It cost a lot of money to detect something.

Never mind a security and privacy nightmare! And never mind a little presumptuous that one's ISP should also be in charge your internal network's setup and operational structure.

 

[rijndael]

And never mind a little presumptuous that one's ISP should also be in charge your internal network's setup and operational structure.

Just because they supply A router doesn't mean it needs to be your internal router.

 

[PandaBear]

Just because they supply A router doesn't mean it needs to be your internal router.

"their" router cost $7-10 a month to "rent".

 

[uc50ic4more]

Just because they supply A router doesn't mean it needs to be your internal router.

If an ISP supplies your router I'd strongly expect them to be responsible for its maintenance; especially if it's rented. I would have massive issues with my ISP having even read-only access to my router's configuration, much less write-capable access!

 

[rijndael]

Cogeco here in Canada watches for "known signs of pwn3d stuff"

For a minute, I read it as Cogent, at which point I LOL'd.

 

[rijndael]

If an ISP supplies your router I'd strongly expect them to be responsible for its maintenance; especially if it's rented. I would have massive issues with my ISP having even read-only access to my router's configuration, much less write-capable access!

I'm always going to route my own packets between my internal networks. If I'm forced to use an on-prem ISP router, I'll just plug my router in to it. They can manage their router as they see fit. I'll manage my own.

The ISP is going to route your packets one way or the other.