This week, Canadian law enforcement announced the first-ever arrests connected to SMS blaster operations on Canadian soil. Project Lighthouse, a joint investigation between Toronto Police and cybersecurity partners, resulted in multiple arrests and the seizure of sophisticated rogue base station equipment that had been used to blast fraudulent text messages to tens of thousands of mobile devices across the Greater Toronto Area.
While the mainstream coverage has focused on the fraud angle—spoofed banking messages designed to harvest credentials—the technical reality underneath is far more concerning. These devices exploit fundamental, decades-old weaknesses in how cellular networks authenticate (or fail to authenticate) base stations. For cybersecurity professionals, this isn’t just a fraud story. It’s a wake-up call about the fragility of the air interface.
In this post, we’ll break down exactly how SMS blasters work at the protocol level, why your phone can be tricked into trusting a malicious tower, and what defenses actually exist today.
What Is an SMS Blaster?
An SMS blaster is a specialized evolution of the IMSI catcher—the surveillance devices sometimes called “Stingrays” that law enforcement agencies have used for years. But where traditional IMSI catchers focus on passive collection of subscriber identities, SMS blasters are active attack platforms designed to inject fraudulent messages directly onto victim devices.
The hardware isn’t exotic. At their core, these devices run on Software Defined Radios (SDRs) like the Ettus Research USRP, coupled with open-source software stacks such as srsRAN. What makes the Toronto hardware notable is the level of customization: Toronto Police specifically described the seized equipment as “uniquely built” and declined to share technical details publicly. Professional criminal hardware typically integrates high-power amplifiers capable of 20-50W output (enough to cover a 500m to 1km radius in dense urban environments), cavity filters to prevent detection, and multiple SDR boards to broadcast across multiple frequency bands simultaneously.
The result? A device that fits in the trunk of a car and can force thousands of smartphones to disconnect from legitimate cell towers and connect to the attacker’s fake network instead.
The Physics of Interception: Why Your Phone Takes the Bait
To understand why this attack works, you need to understand how mobile devices select which tower to connect to. The process is governed by something called the S-criterion—essentially, your phone is designed to be “greedy” for signal quality. It constantly scans broadcast control channels from nearby cells and connects to whatever tower offers the best signal strength as measured by Reference Signal Received Power (RSRP).
This is normally a sensible design. If you’re walking through a city, you want your phone to seamlessly hand off to closer towers as you move. But this same greediness becomes a vulnerability when an attacker parks a high-power transmitter at street level in an urban canyon where legitimate tower signals are attenuated by concrete buildings.
The blaster broadcasts System Information Blocks (SIBs) that make the rogue cell appear irresistible—maximum priority values, manipulated hysteresis settings that prevent quick handoffs back to legitimate towers. Your phone sees a strong signal advertising what appears to be a valid network (correct Mobile Country Code, correct Mobile Network Code), and it connects.
The attack then follows a capture-and-release cycle:
- Capture: Your device detects the high-power rogue signal and initiates a connection request.
- Interaction: The blaster accepts the connection, triggers an Identity Request to harvest your IMSI, and injects fraudulent SMS messages.
- Release: The blaster sends a connection release with an error code (like “Roaming not allowed in this location area”), forcing your phone to search for other networks and reconnect to the legitimate carrier.
This cycle explains the scale Toronto Police reported: over 13 million network disruptions. Every capture-and-release creates a temporary service loss, and when you aggregate that across tens of thousands of devices over several months, the signaling footprint is massive.
The 2G Downgrade: Exploiting a 35-Year-Old Protocol Flaw
Here’s where it gets technically damning: modern 4G LTE and 5G networks implement mutual authentication, where both your handset and the network prove their identities via cryptographic challenges. But 2G GSM, finalized in the late 1980s, only requires your handset to authenticate to the network—the network never has to prove it’s legitimate to your phone.
SMS blasters exploit this asymmetry through forced protocol downgrade. The blaster might initially broadcast a 4G signal to attract devices, but it doesn’t actually support LTE data protocols. Instead, the 4G signal contains an RRC redirection command that points your handset toward a 2G frequency the blaster is also operating on.
Once your phone attempts to connect via 2G, the game is over. Your device has no way to verify the tower’s identity. If it’s broadcasting valid-looking network identifiers and has a strong signal, your phone assumes it’s legitimate.
But wait—even 2G has encryption standards like A5/1, right? Yes, but the protocol also supports A5/0: “null” encryption, meaning plaintext transmission. Under normal circumstances, A5/0 is rarely used. But an SMS blaster initiates a Ciphering Mode Command specifying A5/0, and because your phone can’t authenticate the network, it can’t verify whether disabling encryption is a legitimate request. It complies, opening a plaintext channel for message injection.
| GSM Cipher | Security Level | Blaster Usage |
|---|---|---|
| A5/0 | None (Plaintext) | Required for injection |
| A5/1 | High (for 2G) | Avoided—already cryptanalyzed |
| A5/2 | Low (Export Grade) | Broken, rarely used |
| A5/3 | Modern (KASUMI) | Not supported by blasters |
How SMS Injection Actually Works
When the blaster injects an SMS, it emulates the entire core network. At the protocol level, SMS delivery uses two sub-layers: the Connection Management layer (using CP-DATA, CP-ACK, and CP-ERROR messages) and the Relay Layer (using RP-DATA, RP-ACK, and RP-ERROR to relay the actual payload).
The blaster sends an RP-DATA message containing an SMS-DELIVER Protocol Data Unit. The critical detail: the sender field in this PDU is just an alphanumeric string. Because the blaster controls the connection, it can put anything it wants in that field—“CanadaPost,” “TD_Bank,” “CRA”—and your phone will display it as a verified sender. There’s no cross-referencing with a legitimate SMS Center.
This is also why carrier-side SMS firewalls are completely bypassed. Traditional spam filters operate at the carrier’s SMS Center or signaling gateways, looking for patterns of high-volume spam or malicious URLs. But the blaster’s signal never touches the carrier’s core network. The first time the carrier sees your device is when it reconnects to a legitimate tower after being released—showing a signaling anomaly, but with no record of the SMS that was just delivered.
The 911 Problem: When Fraud Becomes a Safety Issue
Perhaps the most alarming aspect of Project Lighthouse was the public safety dimension. When your phone is connected to a blaster, it’s in a state of “pseudo-service”—it believes it’s on a legitimate tower, but that tower has no connection to the public telephone network.
If you try to call 911 while camped on a blaster, the call fails. Your phone must recognize the failure, drop the rogue connection, rescan the entire spectrum for a legitimate tower, and re-initiate the call. This process can take 30 to 90 seconds—potentially catastrophic in an emergency.
Toronto Police emphasized this “mischief to data” angle in the charges, and it’s likely why the investigation escalated as rapidly as it did. This isn’t just fraud; it’s a threat to life.
What You Can Actually Do About It
Defending against SMS blasters is challenging because the vulnerabilities are baked into legacy protocol design. But meaningful mitigations do exist.
Device-Level Defenses
The most effective current protection is in your hands if you’re running a modern Android device:
-
Android 12+: Google introduced a toggle to disable 2G at the modem level entirely. This completely mitigates current SMS blasters—your device will refuse to downshift to the insecure legacy protocol. Find it in Settings → Network & Internet → SIMs → [your SIM] → Allow 2G.
-
Android 14+: For users who need 2G voice connectivity (rural areas, emergency fallback), Android 14 introduced a more surgical option: disable null ciphers specifically. Even if your phone connects to a 2G tower, it will reject any instruction to use A5/0 mode. Since blasters require A5/0 to inject SMS without knowing your SIM’s secret key, this blocks the attack while maintaining basic 2G capability.
iOS users have fewer options—Apple hasn’t exposed equivalent controls to end users, though Lockdown Mode provides some hardening.
Enterprise Policy Recommendations
For organizations managing corporate devices in high-risk urban environments:
- Mandate 2G disabling via MDM policy on all Android 12+ devices.
- Sunset SMS-based MFA immediately. SMS authentication is no longer defensible where blasters are active. Transition to hardware tokens (FIDO2 keys) or app-based push authentication that doesn’t rely on the cellular control plane.
- Train employees on attack indicators: a sudden drop from 5G/LTE to 2G/EDGE followed immediately by a suspicious SMS with a link is the fingerprint of a blaster attack.
- Prioritize 5G SA carriers: 5G Standalone architecture implements the Subscription Concealed Identifier (SUCI), using public-key cryptography to encrypt your IMSI before it’s ever transmitted. Even a fake 5G base station can’t see device identities, making targeted or mass injection significantly harder.
Network-Side Detection
Mobile operators are beginning to deploy signaling analysis tools that look for blaster signatures:
- Identity Request spikes: An unusual concentration of Identity Requests in a small geographic area indicates a device harvesting IMSIs.
- Neighbor list anomalies: Legitimate towers broadcast lists of other authorized nearby towers. Rogue stations often broadcast empty or static neighbor lists that don’t change as they move.
- Radio environment fingerprinting: Measurement reports from handsets can identify towers that don’t belong in the known “radio map” of a city.
The Bigger Picture
The Toronto arrests are a law enforcement victory, but they’re also a warning sign. The equipment to hijack the cellular air interface has moved from nation-state intelligence agencies to local criminal syndicates. The suspects in Project Lighthouse were males aged 21-27—not sophisticated state actors, just people who figured out that decades-old protocol weaknesses plus cheap SDR hardware plus open-source software equals a very effective attack platform.
The real fix is the eventual deprecation of 2G networks entirely and full migration to 5G Standalone with SUCI support. Until then, we’re playing defense against an attack surface that’s been known since the 1990s but was considered acceptable risk when the only actors who could exploit it had three-letter agency budgets.
That calculation no longer holds.
The technical details in this post are drawn from the Toronto Police press release, LATRO’s SMS blaster research, Google’s Android security documentation, and the M3AAWG SMS Blaster Engagement Series. If you’re responsible for mobile security in your organization, those resources are particularly worth reading.