Passive TCP/IP fingerprinting might tell a lot about the device. You could probably easily tell apart an iPad and a router. But if IMEI checking catches 95% of plan cheaters, it's probably not worth implementing more checks (more checks = more cost and infrastructure to maintain, is it cheaper than the lost revenue?).
This said, I find it insane that there are such plans. The cost of a connection should be the same whatever the device behind is.
I think there's lots of ways they could tell if they really wanted to. One way is simply looking at the traffic. "Why are apps on your Android phone accessing Windows update servers?". I guess a VPN can solve that and the game continues.
Something interesting might happen next week. T-Mobile Home Internet is not supposed to be moved from the registered address but until now that has not been enforced. It's quite popular with RVers. They just announced a new "Away" plan for $160/mo that you are allowed to move compared to $60 for the normal home plan and, not surprisingly, it seems like they're about to start enforcing the geo-restriction on the home plan. This apparently uses GPS in the device. I hear that a lot of people are using the home internet SIMs in other devices with the IMEI set. This is because there are much better devices with external antenna ports etc. These might be in trouble if they don't respond to the GPS request.
That might have legal implications (wiretap laws, they would be basically intercept your communication). But perhaps TCP/IP fingerprinting too, not sure... On the other hand, with providers that were even injecting code in web pages when HTTPS was not ubiquitous... maybe they don't care too much.
This said, I find it insane that there are such plans. The cost of a connection should be the same whatever the device behind is.