Cell phones have SIM cards with an ID and a secret key. Cell service providers have a database of these SIM associations. Cell phones encrypt IP packets in their entirety with the symmetric key and send it as the payload of some cell protocol packet that might expose my ID, if anything. Assuming the cell provider is secure and not on the dark side, this is the safest part of my my packet's trip.
I don't understand how a cell-site simulator could see what websites I visit, much less the messages I send, without knowing my key. And it's not like one could trick my phone into thinking it's the actual cell site, because it won't be able to respond to my transmission with a message that my key can decrypt.
FBI: "Hey, cellular provider, give us the secret key and ID for X."
Provider: "Sure, thing, just one moment." ... "Here you go."
---
Or, if your provider has a bit of a spine:
FBI: "Hey, cellular provider, give us the secret key and ID for X."
Provider: "Got a warrant?"
FBI: "No problem, give a half hour to call our go-to judge." / "No, but here's a NSL."
2G ruins everything. It is effectively wide-open now and handsets will connect to the strongest connection. This is one of the oldest problems in cryptography. It doesn't matter how great the latest and greatest is so long as the old broken standard is still widely used and supported.
Until you can purchase a phone that is not compatible with 2g, you will always be at risk of fallback attacks.
It works sort of like what you are describing in 3g & 4g networks.
So to answer your question: You are missing phones that don't work on 2G (unless there is a function to disable it in a user-unfriendly engineering menu).
These devices do not necessarily have insight into the contents of your communications, their main feature is that they can uniquely identify and locate a phone.
Cell phones have SIM cards with an ID and a secret key. Cell service providers have a database of these SIM associations. Cell phones encrypt IP packets in their entirety with the symmetric key and send it as the payload of some cell protocol packet that might expose my ID, if anything. Assuming the cell provider is secure and not on the dark side, this is the safest part of my my packet's trip.
I don't understand how a cell-site simulator could see what websites I visit, much less the messages I send, without knowing my key. And it's not like one could trick my phone into thinking it's the actual cell site, because it won't be able to respond to my transmission with a message that my key can decrypt.
What the heck am I missing?