Rapid7 warns of cellular IoT hardware attack risks

Rapid7 researchers have identified a set of hardware-level attack techniques that allow adversaries with physical access to cellular-enabled Internet of Things devices to infiltrate backend systems, extract sensitive data and conceal malicious traffic within legitimate communications.

The findings show how cellular modules embedded in IoT devices can be repurposed as entry points into cloud platforms and private networks. The research also demonstrates how trusted relationships between devices and connected services can be exploited once an attacker gains control of internal communications.

Attack paths

The research focuses on how attackers can manipulate interchip communication between a device's primary processor and its cellular module. These communications typically occur over USB or universal asynchronous receiver-transmitter (UART) interfaces.

By observing and modifying these channels, attackers can intercept commands and data exchanged within the device. In some cases, hardware modifications can replace the device's host processor entirely, allowing an external system to take control of the cellular module.

Both USB and UART interfaces are commonly present in cellular-enabled IoT devices, but only one is typically used. This leaves unused communication paths exposed and potentially accessible to attackers.

The research shows that attackers can either tap into these interfaces to monitor traffic or hijack them after the device has authenticated with backend services. This allows malicious activity to take place under the guise of legitimate device behaviour.

Tooling risks

The researchers developed several proof-of-concept tools to demonstrate how these attacks could be operationalised. These include a TCP port scanner, a cloud storage enumerator, a SOCKS5 proxy and a Metasploit integration module.

These tools rely on standard AT commands supported by cellular modules. Once an attacker gains access to the module, these commands can be used to establish network connections, scan internal infrastructure and route traffic through the device.

One example involved creating a SOCKS5 proxy that allows external systems to route traffic through the compromised IoT device. This effectively turns the device into a covert gateway into corporate or cloud environments.

Another tool demonstrated how attackers could enumerate cloud storage resources, such as object storage buckets, by leveraging the device's existing access permissions.

The research also explored the use of Point-to-Point Protocol over UART, enabling a full network interface through the cellular module. This allows attackers to route standard IP traffic through the device without interrupting its normal operation.

Trust relationships

A central theme of the research is the implicit trust placed in cellular communication paths. IoT devices often authenticate to cloud services, backend systems and private networks using credentials embedded within the device.

Once authenticated, these devices are typically granted broad access to data and services. Attackers who gain control of the cellular module can inherit this trust.

The study found that authentication methods vary widely, including tokens, keys and device identifiers. However, once these are in place, there is often little additional verification of the device's behaviour.

Devices using private access point names were identified as particularly high risk. These configurations can provide direct access to internal network infrastructure, increasing the potential impact of compromise.

Security gaps

The research identified several consistent weaknesses across tested devices. None of the devices examined included tamper protection mechanisms to prevent physical access.

Many devices also failed to encrypt sensitive data before transmission. This allowed researchers to capture credentials, tokens and other information directly from internal communications.

Unused interfaces were often left enabled and accessible, creating additional entry points. In some cases, sensitive communication could be intercepted using relatively simple hardware tools.

The report notes that relying solely on cellular network encryption is insufficient. Data transmitted from the device's processor to the cellular module may remain unencrypted, exposing it to interception.

Mitigation steps

The researchers recommend that organisations treat cellular-enabled IoT devices as privileged assets within their networks. This includes recognising their potential role as gateways into critical systems.

Several mitigation measures are outlined. These include disabling unused communication interfaces and ensuring that sensitive data is encrypted before transmission through cellular modules.

The report also calls for improved monitoring of cellular traffic, particularly in environments using private APNs. This includes enforcing outbound controls and analysing communication patterns for anomalies.

Hardware-level security testing is highlighted as a necessary practice. Regular testing can help identify vulnerabilities in device design and implementation before they are exploited.

Network-level controls are also critical. These include segmentation, access restrictions and continuous monitoring of device activity.

The research concludes that as cellular connectivity becomes more common in IoT deployments, the risks associated with these devices will increase. Without stronger safeguards at the hardware and network levels, cellular-enabled devices may become a persistent attack vector within enterprise environments.