It cannot deny you service if it is routed through a router that allows only communication with a VPN server, for which the malicious firmware has no access credentials.