ToRPEDO Attack
Location Verification, DoS, Inject Fake Alerts
Short for "TRacking via Paging mEssage DistributiOn," TorPEDO is the most concerning attack that leverages paging protocol, allowing remote attackers to verify a victim device’s location, inject fabricated paging messages, and mount denial-of-service (DoS) attacks.
When a device is not actively communicating with the cellular network, it enters an idle mode, sort of a low-energy mode that saves device battery power.
So, when you receive a phone call or an SMS message while your device is in the ideal mode, the cellular network first sends a paging message to notify the device of the incoming call or text.
It should be noted that paging messages also include a value called "Temporary Mobile Subscriber Identity" (TMSI) of the device that doesn't change frequently.
However, researchers find that if an attacker starts and then immediately cancels calls several times in a short period, the base station update TMSI value very frequently while sending the paging messages.
Therefore, an attacker sniffing the paging messages, through devices like Stingrays, can verify if a targeted cellular user is within a range of the interception or not.
"If the attacker is aware of the victim’s often-visited locations, then the attacker can set up sniffers on those locations to create the victim’s cell-level mobility profile," the researchers said.
The ToRPEDO attack impacts both 4G as well as the current version of 5G LTE protocol, and the researchers said they verified ToRPEDO against 3 Canadian service providers and all the US service providers.
Once with the knowledge of the victim’s paging occasion from ToRPEDO attack, the attackers can also hijack the paging channel, enabling them to send fabricated emergency messages, mount a denial-of-service attack by injecting fabricated, empty paging messages, and thus blocking the victim from receiving any pending services.