A pure DSL/cable/fiber-optics modem is relatively okay, assuming it's a sane unit, it only does modulation-demodulation on Layer-1/2 with little attack surface. The bad thing is nowadays they usually came from the ISP as a modem/router combined unit, and neither the performance nor security is ideal.
I always see an ISP-provided router as a hazardous & untrusted device. If it offers bridged PPPoE, I would configure it so it works as a pure modem, even it means breaking into the telnet console. Otherwise, I would rather put my own router behind it, double-NAT and firewall it out of my own network.
In Germany, the Choice and Connection of Telecommunication Terminal Devices Act have been passed with the support of free and open source community, which ensure a user can use their own router to connect a broadband network.
If you live in/know about Germany, could you suggest a good alternative to the Kabel Deutschland basic CBN router? I have no clue how the registration to the network would work if I buy a third party router connected directly to my cable input.
You can register the modem via a web portal during the first connection. After a few days you get the activation code via snail mail. But third party cable modems are expensive in Germany. You can also use the provided modem in bridge mode and use a better router behind hit.
We got a DSL login per email a few weeks before the connection became active. Went to the router's admin panel and filled them in under "Internet connection". Once the link came up, Internet worked.
Well, sure, but it depends, in practice the security risk is smaller.
I've seen many modems with a web interface, but it's often not routable to the public Internet in actual use, as the connection was bridged and the job of getting a public IP has been delegated to the PPPoE connection on the router behind it (You need to add another network interface, assign a IP address on your router inside the LAN segment under the control of the modem to reach it).
Some modems have a management link, it can be described as an universal ISP backdoor, only reachable in the ISP's LAN.
But in both cases, it's still better than a modem/router combined unit.
I always see an ISP-provided router as a hazardous & untrusted device. If it offers bridged PPPoE, I would configure it so it works as a pure modem, even it means breaking into the telnet console. Otherwise, I would rather put my own router behind it, double-NAT and firewall it out of my own network.
In Germany, the Choice and Connection of Telecommunication Terminal Devices Act have been passed with the support of free and open source community, which ensure a user can use their own router to connect a broadband network.
https://fsfe.org/activities/routers/timeline.en.html