There's a wide variety of attack methods, however most usually fall into one 1 of 2 types:
1. Active interception. The IMSI catcher is actively transmitting data to the victim device and forcing it to connect, appearing to be a normal cell tower. These are the most common and can usually get a very accurate location. Because 4G and earlier don't require the tower to authenticate to the device, only the device to the tower, there really isn't any vulnerability required to do this. They use different tricks to entice the victim to connect or update its location ( e.g: falsely inflating it's signal strength, appearing to be the only tower in a location, increasing the frequency of location updates ) . Some of these techniques are mentioned in the "Warnings" section of another article describing our Radio Sentinel app: https://armadillophone.com/blog/radio-sentinel
2. Passive interception. The IMSI catcher doesn't transmit any data, or transmits very little data. It's able to gather data and location from the victim using unencrypted data sent over the control plane. These generally aren't able to extract as much data, or as accurately as active interception, but they're much harder to detect. Usually they aren't able to extract the device's IMSI for example. However, there was a recent paper describing a passive IMSI catcher that was both extremely hard to detect and great at tracking victims: https://www.usenix.org/system/files/sec22summer_kotuliak.pdf
If you'd like a more technical description about the techniques described I'd be happy to jump into that too.
1. Active interception. The IMSI catcher is actively transmitting data to the victim device and forcing it to connect, appearing to be a normal cell tower. These are the most common and can usually get a very accurate location. Because 4G and earlier don't require the tower to authenticate to the device, only the device to the tower, there really isn't any vulnerability required to do this. They use different tricks to entice the victim to connect or update its location ( e.g: falsely inflating it's signal strength, appearing to be the only tower in a location, increasing the frequency of location updates ) . Some of these techniques are mentioned in the "Warnings" section of another article describing our Radio Sentinel app: https://armadillophone.com/blog/radio-sentinel
2. Passive interception. The IMSI catcher doesn't transmit any data, or transmits very little data. It's able to gather data and location from the victim using unencrypted data sent over the control plane. These generally aren't able to extract as much data, or as accurately as active interception, but they're much harder to detect. Usually they aren't able to extract the device's IMSI for example. However, there was a recent paper describing a passive IMSI catcher that was both extremely hard to detect and great at tracking victims: https://www.usenix.org/system/files/sec22summer_kotuliak.pdf
If you'd like a more technical description about the techniques described I'd be happy to jump into that too.