However please note that Neo900 has NO way the GSM/UMTS stack can inject ANY commands into the main system. Our modem is sandboxed and we even do more than this, we have surveillance for the sandbox, detecting every little move the modem does, then decide if it's concerning or expected. Worst case we shoot complete modem down when it misbehaves. In that regard we're even better than cryptophone used for the IMSI-catcher "firewall" liked to in above post.
Regarding masquerading an IMSI-catcher as regular BTS (incl Cell_ID and all): _can_ be done, but begs for trouble, so usually they don't do it aiui. /j