You can force a phone into 2G handshaking, that's how stingrays work.

Okay, thanks for the explanation.

Meanwhile, setting my Samsung Galaxy S9 to no-2G gives me a warning message that cannot be dismissed: "This setting turns off 2G service. If 2G service is off, some app..." (the remainder can't be viewed).

> (the remainder can't be viewed).

Sounds like terrific UI design

Samsung takes something that works. Then goes out of their way to make it worse.

Especially given that you can't even expand the message to read all of its intended contents.

Maybe it saves a few milliseconds of battery life every charge.

Also like their QA team is slacking, if they have one.

> if they have one

I believe they have a single QA person who is paid minimum wage and whose desk is in a broom closet somewhere, judging from my own experiences...

Sadly just because you have a QA department doesn't mean much. Your investment is only as good as the people you invest in (at least in this case). "Oh I sit around all day using a phone?"

Rotate.

I could imagine that they'll eventually receive a firmware update allowing them to have conduct more modern modes of operation. That said, given that the target network also has 2G besides 3g; it can be configured in a "compatible" mode; one that can and is being exploited in the wild. 3g only networks are not suceptible to that particular type of attack. However, a similair scenario also exists for 3g/4g networks. TL;DR Locking your baseband to the most modern technology decreases the odds for being intercepted/stung but certainly does not guarantee any safety.

Stingrays already work with 4g. And 5g has many of the same flaws, likely on purpose. We can only hope common criminals will start massively exploiting them if we want real change to happen.

What flaws are there, exactly? Missing mutual authentication are the main cause for 2G's security issues. There are no trivial MitM attacks on 3G and 4G - besides denial of service that may result in downgrades. There are location and identity leaks, but that's user tracking at best. Not to compare with 2G.

What am I missing here?

There is no problem for a stasi wannabe to use legal process to extort the base station credentials from the phone company. There should be defences against carrier assisted MITM, like signed NONCEs and per-carrier station public key registers with accountable station data (location, station photos, etc)

If you question lawful interception, then your problem is not the technical standard that allows it, but your have a problem with society and the laws it implements.

There are good reasons to have security endpoints in the core network instead of the base stations. But it doesn't affect lawful interception at all.

They can jam the other frequencies so that they aren't available.