IMSI Catchers for Dummies, like me

[Caruthers612]

   This is a thread in which I hope people with real technical understanding of IMSI catchers will be able to answer my questions so as to deepen my understanding of this technology. I have questions both about how it works and what can hopefully be done about it. Let me start with what I know, or think I do.

   I know that an IMSI catcher is a fake cellular tower, which uses a man in the middle strategy to insert itself between your mobile phone and the real cell tower. I know that the IMSI catcher exploits a hole in the GSM spec which requires the mobile device to authenticate to the network, but not vice versa, thus allowing the IMSI catcher to masquerade as the real mobile tower. I also know that mobile devices are required to optimize reception, or seek the strongest signal, thus allowing the IMSI catcher to become the preferred base station through greater signal strength., it forces mobile phones in its vicinity to log into it instead of the real cell tower. The IMSI catcher then sends a signal to your mobile devices SIM card that forces it to send the IMSI.

   Now, this is the point at which my questions begin, and because I have several, I'd like to take them one at a time to avoid confusion. The first question concerns what happens next in the above sequence of events, namely that the IMSI catcher, because the base station chooses the encryption mode, forces your mobile phone to send data unencrypted. I want to understand this process better, namely how, inside your phone, this is accomplished. Is it a hardware process entirely? Meaning does it bypass your mobile OS and any security or VPN software you have running? If you have NordVPN, let's say, running on your phone, which encrypts your data, how does the signal from the IMSI catcher defeat this and force your phone to send unencrypted data?