To expand the previous post, the methods of locating an individual phone have various levels of speed and accuracy. The fastest one would be via an SS7 (the control and routing infrastructure between phone networks) request asking for the current subscriber information - which will contain the last known cell tower which a phone was associated with. It used to be possible to get this information about anyone from any other network; they started implementing firewall rules to block strange requests from outside their network after this came to light.
To confirm the current cell tower, that’s what the silent SMS (also known as type 0 SMS) is used for - the GSM specifications require a phone or other piece of user equipment to reply saying “yes, I received this” and to not tell the user.
To get a continuous fix, the so-called empty paging or silent call is used. That’s where something on the network tells your phone “I’m setting up a channel, expect a call”, but then doesn’t actually set up a call or transfer data. When your phone’s in this state, it’s constantly sending “hello network, I’m still here, I can take that call now” messages. These can then be used to locate your position with radio direction finding hardware.
Finally, there’s something called “radio resource location protocol” (RRLP), which is the network telling your phone “give me your current co-ordinates”. The response can take many forms (see https://portal.etsi.org/webapp/workprogram/Report_WorkItem.asp?WKI_ID=53851 for the gory impenetrable details), but it uses either GPS or time difference between message arrival broadcast from different cells. This is also done without any kind of user interaction, and is why I was worried about whether the modem would have a direct link to the GPS chip (a UART is present in some modems for directly providing AGPS data and also for this purpose).
The only way of reliably detecting these tracking attacks is to have access to the raw data right after demodulation and decryption (if applicable, for instance broadcast traffic isn’t encrypted) - you need the control traffic to identify empty pagings, abnormalities in the encryption procedure and “base stations” with a suspiciously high reselection offset.
It was discovered that you can get “monitor mode” on pretty much all Qualcomm modems, and there’s a piece of Android software called SnoopSnitch (https://opensource.srlabs.de/projects/snoopsnitch) which uses this to detect IMSI catchers and some tracking attempts. It used to be possible to activate monitor mode on Infineon (now Intel) modems (https://github.com/darshakframework/darshak/), but I was unable to achieve this from my admittedly crude method of trying to figure out how the debug AT commands worked on a newer modem (XMM7260, in an Asus Zenfone 2).
Sticking a QC-based modem in the phone would give us access to said monitor mode, but I’m almost certain that both them and Intel have signed firmware images which rules out the future prospect of one day writing our own baseband code (for instance, by porting Osmocom and srsLTE). Mediatek modem firmware is odd - while it does have a “signature”, that signature is only over the header (https://comsecuris.com/blog/posts/path_of_least_resistance/) and the entire firmware image can theoretically be modified at will. Whether this is intentional or not (and therefore will remain modifiable in future) is unknown. Samsung’s modem firmware is now properly encrypted (https://comsecuris.com/blog/posts/shannon/), but I don’t think they sell standalone modems which aren’t built into an Exynos CPU anyway. I have no idea what Huawei’s homegrown modems (aka. HiSilicon devices) are like. I don’t know of any other current cellular baseband manufacturers.