Cybersecurity Videos

All News Deals Social Blogs Videos Podcasts Digests

Cybersecurity Hardware

Black Hat USA 2025 | Weaponization of Cellular Based IoT Technology

•March 16, 2026

Black Hat

Black Hat•Mar 16, 2026

Why It Matters

Because unencrypted inter‑chip channels let attackers commandeer cellular IoT devices, they can bypass network defenses and access cloud resources, forcing a rethink of IoT security architectures.

Key Takeaways

•Cellular IoT modules often expose unencrypted CPU‑module links.
•AT command interfaces enable remote control and data exfiltration.
•Physical access methods include needle probes and module re‑flow techniques.
•Custom scripts turn UART AT commands into port scanners and proxies.
•PPP over UART provides cellular internet, but with high latency.

Summary

At Black Hat USA 2025, Daryl Highland (Rapid7) and Carla Bidner (Thermo Fisher) presented research on weaponizing cellular‑based IoT devices, focusing on the often‑overlooked inter‑chip communication between the main processor and the cellular modem.

They discovered that most devices transmit UART or USB traffic without encryption, exposing AT command interfaces originally designed for 1980s modems. By intercepting these links—using techniques ranging from overlay imaging to acupuncture‑needle probes and full module re‑flow—they can inject custom AT commands to configure networking, open sockets, or trigger firmware updates. The team built a suite of scripts that repurpose AT commands into traditional pentesting tools such as port scanners, HTTP proxies, and even an S3 bucket enumerator.

In a live demo, the researchers showed an AT‑driven S3 bucket scanner that harvested a flag.txt file, then switched to PPP over UART to obtain a cellular IP address and run a cloud‑enumeration script, noting that the operation took 40‑45 minutes versus three minutes on a regular network. They also highlighted the practical challenges of USB‑only devices and the variability of carrier support for PPP.

The work underscores a critical gap in IoT security: manufacturers assume cellular links are inherently protected, yet the internal CPU‑modem channel remains a low‑cost attack surface. Enterprises deploying cellular IoT must reassess firmware hardening, enforce encrypted inter‑chip protocols, and incorporate hardware‑level testing into their threat models.

Original Description

As IoT devices continue to integrate cellular technologies for communication, the potential risk for adversaries to weaponize the hardware's trust relationship and gain access to critical backend infrastructure grows exponentially.

During this talk, we will present our research focused on how built-in cellular technology in IoT devices can be leveraged to gain access to and execute attacks against cloud services and backend private network environments. We will cover methods to modify IoT devices to take control over the installed cellular modules, allowing for injecting communications and establishing Man-in-the-Middle (MitM) traffic between the Micro Controller Units (MCU) and the cellular modules. We will demonstrate how control of onboard cellular communications could be used to launch attacks against the backend cloud infrastructure and network systems outside of the IoT device's intended purpose.

During this presentation, we will demo and release proof-of-concept code to control the onboard cellular modules to accomplish these goals. We will also discuss techniques that manufacturers can leverage to reduce or mitigate the risk and impact of these attacks.

By:

Deral Heiland | Principal Security Research (IoT), Rapid7

Carlota Bindner | Lead Product Security Researcher, Thermo Fisher Scientific

Presentation Materials Available at:

https://blackhat.com/us-25/briefings/schedule/?#weaponization-of-cellular-based-iot-technology--leveraging-smart-devices-to-gain-a-foothold-45837

Comments

Want to join the conversation?

Loading comments...