If you are behind a NAT then you may consider your any OS safe. But I have no idea about state-of-the-art of NAT hacking, maybe some of them are flawed.
There are innumerable ways vulnerabilities can be exercised that do not involve having to “hack” NAT. I would not be comfortable staying so simply that NAT will protect in all situations. It’s one layer of defense, yes, but is inadequate without others like malware avoidance.
> There are innumerable ways vulnerabilities can be exercised that do not involve having to “hack” NAT.
Any examples? Suppose we have a Windows computer connected to a NAT with an access to an Internets, but the computer doesn't download anything. I am not a sysadmin but from my understanding this is almost safe.
1) You’re browsing the web from the old machine. Your HTTPS connection gets MITM’d due to a TLS vulnerability, and the attacker is able to gain control of your email account.
2) Unbeknownst to you, another machine on the network is infected with some virus. That machine uses a CIFS vulnerability to remotely infect and root your old computer.
1. I do not believe this is possible. Old device (example - any Blackberry and may be Windows XP) can not connect to any site on the Internets except of HN, maybe because websites like mail provider use to not give any content via HTTP. Any working HTTPS connection just can not be MitMed except of if you are a person of interest of somebody extremely powerful.
That is obviously not true. NAT has been pretty much the default way of accessing the Internet for the vast majority of computers for the last 15 years. The proliferation of ransomware and zero-click exploits clearly shows that NAT did not turn any boxes behind it into something secure.
There are tons and tons of attack vectors that are not deterred by NAT. And with so many routers around that are vulnerable and not updatable, or that still have their default admin passphrases, you shouldn't consider your NAT network a safe place.
My router has a default admin password but this password invite is not available from the Internets. There is a way of doing it available - press and hold some button and connect to router via wire using telnet. Here is what I know about default password vector, am I missing something?