Police in Toronto, Canada, have revealed details of a sophisticated cyber operation in which hackers used devices known as SMS blasters, placed in vehicles driving around the city. These systems simulated mobile base stations and forced nearby phones to automatically connect to them, leading to as many as 13 million individual network outages.
According to investigators, the devices emitted a stronger signal than legitimate networks, which is why the phones chose them as the connection source. When the devices were connected, users received messages that appeared to come from trusted institutions, but actually led to fake sites with the goal of stealing data or initiating unauthorized transactions.
Fake base stations as a new attack weapon
Due to the way the attack was carried out, the operator’s standard protections were not effective. The communication bypassed common security mechanisms, allowing attackers to mass-distribute so-called “smishing” messages directly to victims’ phones. This approach enabled a simultaneous attack on tens of thousands of devices without relying on the classic telecom infrastructure.
GuardianOfficials emphasize that the problem is not only of a financial nature. During redirects to fake networks, users may temporarily lose access to legitimate services, including emergency services such as the police or EMS. This is exactly what makes this attack particularly dangerous from the point of view of public safety.
The devices used in this operation were specially designed, and the police described the seized specimens as unique and potentially dangerous to national security. Similar systems, such as IMSI interceptors, can intercept and redirect communications, including collecting metadata or voice calls.
Although this is the first recorded case of its kind in Canada, similar attacks have been seen in other parts of the world, including the Philippines and Great Britain. Although the specific operation in Toronto has been stopped, experts warn that the vulnerability remains, and existing security tools cannot prevent a phone from connecting to a fake base station, reports Techradar.