Why Your IoT Devices Are Leaking Data Over Cellular Networks

TLDR: Most cellular-connected IoT devices transmit data over unencrypted channels that are trivial to intercept if you control the network path. By using private Access Point Names (APNs) and site-to-site VPN tunnels, researchers can force device traffic through a controlled gateway for deep packet inspection. This approach exposes hardcoded credentials, cleartext API calls, and sensitive telemetry that developers often assume is protected by the cellular carrier.

Security researchers often treat cellular connectivity as a black box. We assume that because the traffic is traversing a carrier network, it is inherently more secure than public Wi-Fi. That assumption is a massive blind spot. When you are auditing an IoT device, you are likely looking at the firmware, the cloud API, or the local web interface. You are rarely looking at the raw traffic flowing from the modem to the internet.

The reality is that many IoT devices communicate over cellular networks with zero encryption, or rely on weak, outdated protocols that are easily intercepted. If you are not inspecting the traffic at the network layer, you are missing the most critical data leakage points.

The Mechanics of Network Interception

To effectively audit these devices, you need to move from passive observation to active interception. The most reliable way to do this is by manipulating the network path using a private APN. An APN acts as the gateway between the cellular network and the public internet. By default, your device uses the carrier’s public APN, which routes traffic directly to the web.

When you provision a private APN, you gain the ability to define where that traffic goes. Instead of hitting the public internet, you can route it through a site-to-host or site-to-site VPN tunnel that terminates at a server you control. Once the traffic hits your server, you can use standard tools like tcpdump to capture and analyze every packet in real-time.

This setup is surprisingly accessible. You do not need a massive budget or specialized telecom hardware. A standard cellular modem, a SIM card from a provider that supports private APNs, and a cloud-hosted WireGuard instance are sufficient to build a robust interception lab.

Practical Exploitation and Analysis

During a recent engagement, I used this technique to audit a fleet of industrial sensors. The devices were configured to send telemetry data to a hardcoded endpoint. By forcing the traffic through my VPN gateway, I could see the exact structure of the packets.

The device was sending its unique identifier, location data, and internal sensor readings in cleartext. Because the traffic was not using TLS, I could not only read the data but also inject my own responses. I could spoof the server’s response to trick the device into entering a diagnostic mode, which exposed further undocumented commands.

If you are performing a penetration test on a cellular-connected device, your first step should be to identify the APN settings. Many devices allow you to manually configure these in the settings menu or via AT commands. If you can change the APN to one you control, you have essentially performed a man-in-the-middle attack on the entire device.

Why This Matters for Your Next Audit

The risk here is not just theoretical. We are seeing an explosion of "smart" devices in critical infrastructure—water meters, power grid controllers, and medical equipment—that rely on cellular backhaul. If these devices are not implementing A02:2021 – Cryptographic Failures, they are essentially broadcasting sensitive data to anyone who can influence the routing path.

For bug bounty hunters, this is a goldmine. Many vendors have public bug bounty programs for their cloud APIs but completely ignore the cellular transport layer. If you can demonstrate that a device is leaking PII or credentials over the cellular network, you have found a high-impact vulnerability that the vendor likely never considered.

Defensive Considerations

If you are on the blue team or working with developers, the fix is straightforward but often ignored: enforce end-to-end encryption. Do not rely on the carrier network to secure your data. Every packet leaving the modem should be wrapped in a secure tunnel, such as TLS or a dedicated VPN, before it ever touches the cellular radio.

Furthermore, implement strict certificate pinning. If your device expects a specific server certificate, an attacker who manages to intercept the traffic will be unable to decrypt or tamper with the payload.

Stop assuming the network is secure. Start treating the cellular connection as an untrusted medium, just like you would with any other network interface. If you can see the traffic, you can break the device. If you can break the device, you can own the network. Start looking at what your devices are actually saying to the world.