Black Hat

Black Hat USA 2025 | Weaponization of Cellular Based IoT Technology

At Black Hat USA 2025, Daryl Highland (Rapid7) and Carla Bidner (Thermo Fisher) presented research on weaponizing cellular‑based IoT devices, focusing on the often‑overlooked inter‑chip communication between the main processor and the cellular modem. They discovered that most devices transmit UART or USB traffic without encryption, exposing AT command interfaces originally designed for 1980s modems. By intercepting these links—using techniques ranging from overlay imaging to acupuncture‑needle probes and full module re‑flow—they can inject custom AT commands to configure networking, open sockets, or trigger firmware updates. The team built a suite of scripts that repurpose AT commands into traditional pentesting tools such as port scanners, HTTP proxies, and even an S3 bucket enumerator. In a live demo, the researchers showed an AT‑driven S3 bucket scanner that harvested a flag.txt file, then switched to PPP over UART to obtain a cellular IP address and run a cloud‑enumeration script, noting that the operation took 40‑45 minutes versus three minutes on a regular network. They also highlighted the practical challenges of USB‑only devices and the variability of carrier support for PPP. The work underscores a critical gap in IoT security: manufacturers assume cellular links are inherently protected, yet the internal CPU‑modem channel remains a low‑cost attack surface. Enterprises deploying cellular IoT must reassess firmware hardening, enforce encrypted inter‑chip protocols, and incorporate hardware‑level testing into their threat models.