Ax, the way I understand it is that first of all there are all kinds of loopholes due to required interoperability with 2G network, and secondly, you could still do a "man-in-the-middle" attack and just use the authentication replies from the base station. You can easily find "a DIY IMSI catcher for $300" tutorials on the internet.
Or, for that matter, you could just listen passively to the cellular traffic. Yes, it's encrypted, but so is https.