The hardware team had some semi-custom thing from intel that spat out (no surprise) gigabytes of trace data per second. I remember much of the pain was in constructing a lab where we could drive a test system at reasonable loads to get the buggy behavior to emerge. It was intermittent so it took use a couple weeks to come up with theories, another couple days for testing and a week of analysis before we came up triggers that allowed us to capture the data that showed the bug. it was a bit of a production.
That's exactly what I do with mine but apparently more and more manufacturers are putting the modem unit behind the same fuse that powers something essential.
For what it’s worth, the authors note that since this is installed on a phone, by the time CellGuard has detected a rogue base station, it’s too late anyway.
These spying devices often do permit network traffic to flow through, so if deployed widely these apps could be used to report on where large-scale messing with cellular communications is taking place. The only way to stop this technology is to turn off your phone completely (and opt out of any low-power "find my" networks built into Android and iOS, of course).
That's my point. Apple and Google are using local BLE broadcasts that get uploaded to servers for locating devices. That means ICE can detect/count people in the vicinity by just monitoring the location network signals your devices will emit. For some devices, the location beacon feature will keep working even if you turn them "off".
My Raspberry Pi some time ago had a setup where only public key auth was enabled for LUKS unlock, so I only had to have an authorized_keys file unencrypted.
