They are probably not even lying that the baseband processor is shut down by the application processor, as it controls the power and system clocks.

But the dirty little secret is that the baseband processor is still a completely uncontrolled subsystem, loaded with some propietary binary blob by trustworthy companies like Qualcomm. GPS and even the microphones are usually integrated into the baseband, not part of the application processor that runs your Android. So you have a perfectly capable ARM processor running a propietary RTOS system, written completely in C (or C++ occasionally) with access to all the vital periphery and a gigantic attack surface in dealing with all the mobile communication protocols. The only reason there hasn't been a complete breakdown yet is that it's difficult for amateur researchers to exploit, you need expensive RF hardware and the mobile communication protocols are huge bodies of closed committee designed standards. But it is without a doubt in the reach of the NSA, and they are probably actively exploiting baseband processors already.

(Interestingly, since baseband processor have grown in complexity, most smartphones can now update the firmware on them, so there are lots of firmware images floating around. I highly recommend just even running strings on them, its quite enlightening. Some examples from a Nexus 4 radio:

    Failed do spoof USB cable disconnection
    Assertion os_mutex_pool_ptr[mutex_index_in_pool].is_available == 0 failed
    hsu_al_ser_open: hsu_al_ser_base_open for port NMEA (%d) returned failure
    Conversion to UTF-16 failed! Returned %d, expected %d
    Unexpected IP family %d - assuming IPv4
    inflate 1.2.3 Copyright 1995-2005 Mark Adler 
    Received ARP Request
    CxM - Received WLAN Early Grant Release

"Back in July 2013, The Washington Post reported that nearly a decade ago, the National Security Agency developed a new technique that allowed spooks to “find cellphones even when they were turned off."

Since this technique pre-dates smartphones, it is unlikely to involve installing software on the phone. At best, the NSA might have found that a given model of phone didn't properly power-down its radio when the phone was powered-down. Given access to the cellular network it might be possible to ping the phone and make it disclose its position via triangulation.

Very hard to see how this could be anything other than deliberate disinformation by the NSA though.

There's tracking a phone while it's off, and then there's realtime tracking of a phone while it's off. Two very different things, and two very different attacks.

"a new NSA technique enabled the agency to find cellphones even when they were turned off"

The current administration is very careful with choosing their words. I haven't seen WP's source, but I wonder if this is more about the phone blipping its receivers to record some local MAC addresses and scrambling codes and then uploading the data the next time the phone's powered on.

You know when the word "collect" doesn't mean what you think it does, I wouldn't bet on nailing the word "find". :-)

Personally I've never understood why with every single Laptop and Mobile I've ever owned (where I could remove the battery) if I turned off the device, with full battery, eventually the battery dies...

Yet if I power off the same device, take the battery out and leave it for the same amount of time, then put it back and power it on, its a full battery...

On the same note, my iPhone 4, 15" Mac Book Pro w/ Retina, and Lumia 925, all when turned off completely, eventually the batteries die...

Just slower than if they were turned on...

If I were tasked to implement this, I would arrange for the phone to appear to be powered down when in fact is is not, and for malware to do this when shutting down from inside the normal OS. If you "powered off" from software (by shutting down from a menu or holding the power down until the screen goes blank, but not the many seconds it takes to trigger a more hardware-level hard power off), then I would make the screen go blank and make all other inputs unresponsive, except for the normal power on input.

For bonus points, I would arrange for the baseband to transmit only very minimally as necessary, so it isn't noisily detectable from RF pickups such as nearby speakers.

The technical details would get simplified, and management would hear that I can track a "powered-down" phone.

Thanks to Snowden we know the NSA backdoor crypto code and have leverage over the telcos to get the help they need. We also know that solutions are plausibly deniable as far as the big name companies that we know about. So the same thng could go on here.

If I had to put this in place I would get something that worked even if there were no cellphone masts in the area. Get the radio to listen to something entirely different, broadcast from some box that could be put in a car or in one of those electronic listening planes the military have. Have it work at the radio level on the phone so the cpu does not need to be used. The reply could be an entirely different identifier to the IMEA or SIM identifier with it being a simple database 'select' to get these codes.

If there's any sort of oscillator still running in the phone, or any other circuit switching with a predictable pattern of rising/falling edges, you'd think it might be possible to pick up EM radiation with a sensitive enough receiver/antenna.

A bit more "out there", maybe it is possible to pick up a powered down antenna? Think that an antenna is a (typically passive) conductor, designed to resonate at a particular frequency. If the antenna is irradiated with that frequency, wouldn't the antenna couple to the field and disturb it is some way? If those disturbances can be measured, then the antenna (and consequently the phone) can be detected.

My Sony Ericsson K310i used to discharge in a week when turned off with a SIM-card present and only lose 5% in a month when turned off with SIM-card removed.

At the time I thought it was due to poor power management, but now it really makes me wonder.

I wonder how a hypothetical 'bugged' phone would do the data transmissions? I used to have a phone on a contract that had excessively high data charges. As a result, I only used it for voice / SMS. If a bug had been planted on it, and it used normal IP networking, it would be obvious when I got my bill.

I wonder if there are ways that a pwned phone could transmit to an attacker without hitting the billing system? Non-billed SMS? Or are there other techniques on GSM? (e.g. network operator updates get pushed to phones and they aren't billed; there must be some other low-level two-way messaging capabilities)

The tracking might refer to listening to conversations that takes place near a shut down phone. The technique might be similar to the one used in laser microphones (http://en.wikipedia.org/wiki/Laser_microphone), but instead of measuring vibrations, to measure the electro magnetic field variance of phone's microphone.

Are NFC enabled 'phones both NFC devices and NFC readers or just NFC readers?

If they start adding RFID tags to 'phones, the only safe way to not be tracked will be not to carry the 'phone.

Why is it that when flying, we are sometimes requested to put phones into flight mode before switching them off?

one of the ways that coiuld be used to track feature phoned while they were switched on however was sending specially crafted messages sent to the phone that would force a location update which you can use to grab the cell id, and basically determine movement once you have a few of them.

As long as we have non free software running on their phones, it would be hard to believe the claim as is.

Never go outside without a large hat. Switch vehicles at underpasses or car parks. Don't forget the milk.

Apple knows, they should ask them. Fortunately, we can pull out battery from samsung phone.