The IoT Leaky Bucket
Attackers love IoT for stealthy data exfiltration because the traffic never hits any monitored paths
The problem is loud and clear. The building management system (BMS) or other IoT gear uses a SIM card for direct outbound cellular connectivity to the vendor, completely bypassing the fancy corporate firewall & any perimeter controls. Worse, it’s bridged into the business LAN, so a compromise on one side instantly contaminates the other. This is a classic shadow network risk, legacy hardware with decades-old firmware, zero ongoing IT oversight, and an always-on cellular backdoor. Mobile phones do the same thing (cellular + Wi-Fi), and when they’re on SIM, they’re essentially dogging corporate security too. Attackers love this exact setup for stealthy data exfiltration because the traffic never hits any monitored paths.
Dangers of IoT Networks & Why They’re Poorly Protected by Default
IoT devices (sensors, BMS, smart cameras, HVAC controllers, etc.) are built for cheap, easy deployment & long-term reliability, not security. By default, they are shockingly insecure for these reasons:
Weak or default credentials everywhere. Many ship with “admin/admin” or easily guessable passwords that never get changed. Manufacturers prioritize functionality over strong authentication, & there’s no forced password rotation or multi-factor.
Outdated firmware & no patches. These systems often run 10–20+ year-old hardware with minimal (or zero) update mechanisms. Known vulnerabilities sit unpatched forever because facilities teams (not IT) manage them, & rebooting a BMS can literally shut down a building.
Insecure communications & no encryption. A huge percentage of IoT traffic travels in plain text or with weak/old encryption. Data sent to vendors (or exfiltrated) is easily intercepted or tampered with.
Direct cellular/SIM connectivity bypasses everything. No firewall, no proxy, no inspection. The device phones home via 4G/5G independently. This is common in BMS, utility meters, remote sensors, etc., because it’s “reliable” and avoids wired dependencies.
Lack of visibility & segmentation. No centralized monitoring. IT often can’t even see these devices on the network. They’re bridged into the corporate LAN with zero micro-segmentation, so one hacked IoT device becomes a perfect pivot point or exfiltration tunnel.
Resource constraints & legacy design. IoT chips are tiny and cheap, they can’t run heavy security agents. Standards are inconsistent across vendors, so the business is left with a Frankenstein of poorly protected gear.
The result? IoT is the #1 source of botnets (Mirai-style attacks), ransomware entry points, & silent data theft. A single compromised BMS can let attackers siphon sensitive building data, corporate credentials, or even pivot deeper into the network, all while the traffic looks normal on an unmonitored cellular link.
How Easy Is Data Exfiltration Here?
Trivially easy. Here’s a real-world attack path:
Attacker scans for exposed IoT (Shodan finds thousands daily) or exploits a known unpatched vuln/default password in BMS firmware.
Gains shell access on the device.
Uses the built-in SIM cellular link to phone home to their C2 server, completely bypassing the firewall, IDS, and logs.
Exfiltrates data directly (credentials, floor plans, camera feeds, or anything harvested from the bridged business network).
Or worse: installs malware that uses the IoT device as a dead drop exfiltration path for data stolen from corporate servers. Security teams see nothing because the traffic never touches the corporate WAN.
Mobile phones on cellular do the exact same bypass. It’s why nation-state actors and ransomware crews target IoT first, low effort, high reward, zero visibility.
How SD-WAN Solves This (& Chokes the Problem)
SD-WAN (Software-Defined Wide Area Network) was literally designed for exactly these messy, multi-path, IoT-heavy environments. It replaces rigid hardware routers with software-defined overlays that give centralized control, visibility, and security across every connection type, including cellular/SIM links.
Here’s how it directly fixes the scenario:
Full visibility into everything, including cellular traffic. Single-pane-of-glass dashboard shows every IoT device, every SIM connection, bandwidth usage, and traffic patterns in real time. The business can finally see what that BMS is sending to the vendor (or to Russia). No more “it doesn’t hit the firewall, so we can’t monitor it.”
Policy enforcement everywhere. The business defines rules centrally (e.g. IoT traffic can only go to these 3 vendor IPs, must be encrypted, inspected for malware, and logged). SD-WAN applies them to all transports—broadband, MPLS, and 4G/5G cellular. Even SIM-based devices get forced through the secure overlay if its routed via an SD-WAN edge appliance or cellular gateway.
Security moves to the edge (no backhauling required). Modern Secure SD-WAN (e.g., with integrated firewall, IPS, zero-trust, SASE) inspects and protects traffic at the branch or device level. DDoS protection, malware scanning, web filtering, and anomaly detection happen before traffic leaves site. Outbound paths are choked.
Segmentation & zero-trust for IoT. Automatically isolate BMS/IoT into its own secure segment. Business network traffic can’t freely talk to it (or vice versa). Micro-segmentation prevents lateral movement.
Analytics & threat intelligence built-in. AI-driven monitoring spots weird cellular spikes, unusual destinations, or data exfiltration patterns instantly. the business gets alerts instead of silent theft.
Handles cellular natively. Supports LTE/5G gateways and dual-SIM failover. The business can even force SIM traffic into secure tunnels or apply the same policies as wired links. No more it just connects directly.
Result: That dodgy old BMS still works & talks to the vendor, but now it’s under business control, inspected, segmented, visible, & choked. Exfiltration becomes almost impossible because there’s nowhere for the data to hide.
Wrapping up traditional firewalls alone can’t fix this because the traffic never reaches them. SD-WAN overlays intelligence and control on top of whatever messy connections exist (including SIMs). It’s the modern way to secure exactly the hybrid, IoT-infested networks. If the current setup has any SD-WAN capability turning on IoT/cellular policies is a quick win.