You'd be surprised by putting your phone in listening mode and changing around a few numbers can get you. the SMS paging channel is really cool, and you can turn your phone into a sort of Stringray from Harris Corporation.
More so, alot of this stuff is from the Phreaking Scene, which is, not dead, but very much different then its Mitnick heyday w/ the Oki900 and late 00's with ESN/MEID fun.
Most of the phreaking scene nowadays involves "rom" hacking vs the actual modem of the phone, or unlocking, or probing into the cell phones firmware to grab the 16 byte key that'd unlock the modem for you to play with and do everything from modify the bluetooth serial address, increase tx power, or more.
That sounds like it's mostly just client-side attacks to get client-side effects (essentially, bypassing the DRM of the baseband.) Is there any modern phreaking that involves tower/node-side attacks, with the goal of achieving the same sorts of effects as classical phreaking (e.g. "free cell data")?
At first looks unreachable, then you see many ways to get there...
Another way is mobile radio side signaling manipulation (NAS mostly)
(one to receive and another to broadcast)
I’ve looked at such captures before and been kinda lost, the explanation is really great here.
What you should be more concerned about, with this toolset is anyone can fetch the data around them using an off the shelf phone, and within proximity of ONE tower or whatever passes your cell phone. (Bigger antenna, bigger gain = biggr net.)
Now, what's curious is if you research GSM, SMS paging channel or else - alot of this stuff is cleartext, but you'd need something good to parse the information and isolate it per phone. This was w/ QCAT.
Back in the day of CDMA2000/3G, you could see whom the tower was trying to reach, what nearest handset was communicating with the tower and to/from (numbers) of text messages.
What's fun is determining what these numbers belonged too.
tl;dr you can do a very low range stingray.
Then there is the interpretation of the collected packets. That's a whole other art/science. Probably limitless.
Now, I wonder what the cheapest rootable Qualcomm-based phone I can get off eBay is?