[m0dest]

I understand that you can sniff IMSI without being a recognized carrier. But to actually get a cell phone to join your tower – don't you need the carrier's keys to be able to authenticate during the tower handshake? (iOS 5+ warns about unencrypted tower connections, so presumably these have to be authenticated UMTS?)

If so, should we expect that the carriers surrendered their keys to law enforcement to allow them to run fake cell towers that authentically emulate their networks?

[revelation]

That's how IMSI catchers work, your phone joins their network. The network determines the level of encryption, if any. And last I remember there were basically no handsets out there that would even report missing encryption, so I'm not too sure on the iOS 5+ part, but unless you are staring at your screen all the time you would probably miss any such warning anyway.

(Not to mention that A5/1 is broken, but since Stingrays have been around forever and companies don't like investing into something thats not broken, I don't think they even do that. Certainly not at 9k bucks.)