Well, in an infinite universe anything is possible, and I do not doubt that the UMTS signaling stack is perfect: far from it. There might well be bugs that allow some undocumented functionality to emerge. However, there is no possible legal state transition that could lead to this kind of action. The only way I can see for this to happen would be if the attacker could inject malicious code into the target UE and get it running; imagine for example an instance of Prey on the device controlled by remote malicious party. Such attack would be device-dependent however, there might be some manufacturer/model that is vulnerable to a hand-crafted attack vector specifically targeted to it but no possibility to create a generic attack. The attack device can easily masquarade using existing cell area&BTS signatures that it anyway can observe. There is pretty much no way that the target UE can shield against this type of attack.