See:

"GSM Interception"
by Lauri Pesonen
Department of Computer Science and Engineering
Helsinki University of Technology
<http://www.dia.unisa.it/professori/ads/corso-security/www/CORSO-9900/a5/Netsec/n
etsec.html>:

  Abstract

  The GSM standard was designed to be a secure mobile phone system with
  strong subscriber authentication and over-the-air transmission
  encryption. The security model and algorithms were developed in
  secrecy and were never published. Eventually some of the algorithms
  and specifications have leaked out. The algorithms have been studied
  since and critical errors have been found. Thus, after a closer look
  at the GSM standard, one can see that the security model is not all
  that good. An attacker can go through the security model or even
  around it, and attack other parts of a GSM network, instead of the
  actual phone call. Although the GSM standard was supposed to prevent
  phone cloning and over-the-air eavesdropping, both of these are
  possible with little additional work compared to the analog mobile
  phone systems and can be implemented through various attacks. One
  should not send anything confidential over a GSM network without
  additional encryption if the data is supposed to stay confidential.

  [MORE]

"Real-Time Cryptanalysis of GSM's A5/1 on a PC"
by Alex Biryukov and Adi Shamir
December 9, 1999:
http://cryptome.org/a5.ps (Postscript, 292K)

  Abstract:

  A5/1 is the strong version of the encryption algorithm used by about
  100 million GSM customers in Europe to protect the over-the-air
  privacy of their cellular voice and data communication. The best
  published attacks against it require between 2^40 and 2^45 steps.
  This level of security makes it vulnerable to hardware-based attacks
  by large organizations, but not to software-based attacks on multiple
  targets by hackers.

  In this paper we describe a new attack on A5/1, which is based on
  subtle flaws in the tap structure of the registers, their
  noninvertible clocking mechanism, and their frequent resets. The
  attack can find the key in less than a second on a single PC with 128
  MB RAM and two 73 GB hard disks, by analysing the output of the A5/1
  algorithm in the first two minutes of the conversation. The attack
  requires a one time parallelizable data preparation stage whose
  complexity can be traded-off between 2^37 and 2^48 steps. The attack
  was verified with an actual implementation, except for the
  preprocessing stage which was extensively sampled rather than
  completely executed.

  Remark: The attack is based on the unofficial description of the A5/1
  algorithm at http://www.scard.org. Discrepancies between this
  description and the real algorithm may affect the validity or
  performance of our attack.  

  [MORE]

Cellular Interceptor
GSM Digital / Analog
Cellular Phone Interception System
GSM Monitoring, Listening and Recording Digital / Analog Interceptor
<http://accelerated-promotions.com/consumer-electronics/cellular-interception.htm>

GCOM Technologies
   GSM, cellphone, computer, and fax interception and monitoring equipment
(the GSM interception unit features real-time, off-air interception of up to
1000 voice/data/fax transmissions, traffic targetting and screening, and call
tracking, all with a friendly Windows interface).

GSM Monitoring - GSTA-1400
   Complete GSM monitoring/interception system with call and target tracking
and location features.

Google search for "IMSI Catcher"
(Most results will require translation.)