[dublinben]

IMSI catchers (like Stingray) are not fully passive devices. They have an operation mode where they broadcast a signal that appears to come from a legitimate cell phone tower. This captures traffic from all devices within range, targeted or not. This is why they are often called "cell site simulators" because that accurately describes how they are often used. For more information, check out this EFF page.

https://www.eff.org/sls/tech/cell-site-simulators

[chrissnell]

...but how? Comments above imply that 3G and 4G are protected with strong encryption/authentication. How is a Stingray capturing metadata from calls and SMS?

[diafygi]

I was under the impression that Hailstorms either have valid cell tower certificates (dunno if wireless carriers are complicit) or they exploit the vast quantity of modem firmware bugs.

http://www.ee.columbia.edu/~roger/ShmooCon_talk_final_011620...