3

I have a mobile plan with unlimited data.

It works overseas as well in the country of origin.

It does not work for overseas tethering - I cannot use internet on my computer when travelling - it displays a webpage telling me it's not allowed.

There were some hacks with unlimited 3G on Kindle: http://hackaday.com/2012/02/27/tethering-a-kindle-for-free-3g/

I wonder - how does mobile operator knows whether I'm using phone (internet works) or computer ("tethering not allowed" message)?

Is it user-agent string or something more sophisticated?

EDIT/UPDATE

3G hotspot, connecting with another phone

(because another phone does not work it suggests it's not the user-agent string)

enter image description here

3G hotspot, connecting from a computer

enter image description here

Mars Robertson
  • 555
  • 4
  • 14

3 Answers3

2

While I'm not sure of the exact answer to this question, I am aware that the user-agent string can be used by browsers to determine the type of device that the operating system is running on - often this is used in web design to dynamically display content based on what device is being used to view it.

To answer your question fully you must elaborate on when this 'tethering not allowed' message appears. Is it a prompt from your phones OS, or is it a message that appears on your internet browser when you tether it to your computer?

EDIT: To test this theory you could try using a browser plugin like Random Agent Spoofer for Firefox. If you manually set your user-agent to the same OS and browser as you use on your mobile device then it is possible that the service provider will be unable to distinguish between the traffic from your computers browser and data coming from your mobile device itself. However, this assumes that the provider or mobile device is not modifying the packets in some way to reflect that the packets are being sent from a tethered device. If this is the case then there really is very little that you can do about it.

From what you have described it sounds more like the the packets are being redirected based on the information inside the packet. For example any HTTP requests that are shown to be originating from the computer through the mobile phone are being redirected to a different source hence you are being served with a basic web page stating that you 'cannot use a tethered device'

As stated by other users, there are many ways that the service provider could potentially detect that you are using a desktop as opposed to a mobile device.

RedBullNinja
  • 534
  • 2
  • 5
  • As far as I remember it displays a webpage. I'm flying in a few hours so I'll be able to update the question. I updated the question anyway. – Mars Robertson Oct 21 '16 at 10:50
  • **EDIT / UPDATE** - included the screenshots to explain what's going on... Luckily I had a very good WiFi at the hotel so no shenanigans were required. – Mars Robertson Oct 30 '16 at 07:50
2

TL;DR: Your phone OS (plus plan provider) can do whatever it wants without your concern, that includes blocking devices it does not want to route the traffic to the open internet. Any traffic through 3G reaches your plan provider 'cause ICC data needs to reach it to allow the connection in the first place. Therefore yes, your mobile operator knows what you're doing.

A phone OS is completely under the control of the vendor (even if you ask about Android, it has proprietary code in the Linux kernel). That gives the vendor complete control over the operation of your device, including all traffic that goes through it. Unless you jailbreak it, and even then you cannot be completely sure if you have complete control. Only full reverse-engineering (of the parts of the OS that are not open source), and a way to modify the memory, will give you full control over the device.

All that said we can get on to the question. When you make a WiFi hotspot or connect a computer through the USB port the device can react (even proprietary embedded OSes use udev these days thanks to GPL tivoization). The reaction of the device can be anything it was programmed to do. Which can really be anything since it can even control kernelmode operation.

Therefore your phone, acting as a router*, can assign markup to the traffic coming through the WiFi hotspot (or USB connection). The markup can be anything: can be as simple as meddling with HTTP headers or more complicated by modifying TCP options. The phone can definitely do this since it has a stateful firewall.

As for identifying yourself as the originator, 3G runs as the 3GPP standard, which is based on GSM, which always adds the ICC data from your SIM card to the connection. Even if your phone does not allow to remove/insert a SIM card, it must have an identifying RFID that can provide an ICC for the 3G connection.

The connection markup is sometimes poorly designed. As in the kindle link you cite, entering the debug mode changed the firewall rules and removed the markup. Sometimes the markup may not be performed by the phone but the receiver of the 3G connection (the company that maintains your plan) may try to identify traffic, possibly as trivially as User-Agent: or in more complex ways (passive fingerprinting).

But there is no way to know how the 3G maintainer performs the filtering (markup on the phone? at kernel level? at firewall level? no markup? user-agent? p0f?) since there are no standards on how to do it and almost all code is proprietary. This is why there are so many ways to jailbreak different phone versions and why this is illegal pretty much anywhere. Reverse engineering the mechanisms how phones perform the not documented features is the Wild West information security today.

One thing you can know is whether the phone is deciding to give you the webpage or it is going all the way to the 3G provider. There are devices that can detect 3G traffic, which may be able to tell you whether the traffic from your machine goes out of the phone or not.

Disclaimer: Again, both jailbreaking and 3G monitoring do have legal implications in several jurisdictions (jailbreaking more than 3G moniotring).

* A phone that can act as a WiFi hotspot or internet connection through USB can be a router since it has two NICs anyway. One NIC through GSM and another through Ethernet over USB or a 802.11 AP

Community
  • 1
grochmal
  • 5,677
  • 2
  • 19
  • 30
  • 2
    Might be worth it to provide a summary at the start. I came away somewhat wondering what your answer was. – Stoud Oct 21 '16 at 11:04
  • It's not the application and it's CPU, it's the baseband. You have no control over it, and the operator decides what you can do with it. – John Keates Oct 21 '16 at 12:21
  • @JohnKeates - I agree, OP has no control over it. But he is really asking how the 3G operator is figuring out that he is using a computer connected to the phone, as opposed to browsing the internet from the phone itself. Had OP full control over the phone (including possible keys in the ICC/RFID) he could tell the phone that the traffic from his computer is actually originating from the phone. – grochmal Oct 21 '16 at 12:40
  • We'd need more technical details. If it's web-only, it would be detected by the carrier proxy and CGN, if it's everywhere it would be modem/baseband-based. As soon as there are more hops than the "endpoint", the network would know there is something happening. – John Keates Oct 21 '16 at 15:21
  • @JohnKeates - If you have the control of the device you can fake the endpoint. You just tell the NAT firewall to rewrite all packets at TCP level (including stuff like TTL, which is a level below). i.e. you tell the phone's kernel to (1) force PMTU (2) strip IP and TCP headers from every packet and (3) rebuild the packet headers. Now, that would be particularly difficult (am not aware that e.g. iptables can do it, and that would actually be a nice question), but certainly not impossible. – grochmal Oct 21 '16 at 16:50
  • @grochmal yes, that would probably work. But if it's on HTTP level, you'd have to use a rewriting proxy. In any case, it really depends on how it's currently set up, and what's working (and what isn't). It may very well be above TCP/IP level, and be application-specific. – John Keates Oct 21 '16 at 21:46
  • **EDIT / UPDATE** - included the screenshots to explain what's going on... Luckily I had a very good WiFi at the hotel so no shenanigans were required. – Mars Robertson Oct 30 '16 at 07:50
  • @MichalStefanow - Well, yeah. But now I wonder after what kind of answer you are after. Both Xeeneta and me outlined the information disclosure vectors. You can try closing them one by one and hope the 3 UK does not use the ones harder to spoof. – grochmal Oct 30 '16 at 13:14
  • @grochmal *"what kind of answer you are after"* - curiosity and expanding my knowledge. I've updated the question and notified in the comments just to let you know - in case you are curious too. – Mars Robertson Oct 31 '16 at 02:59
  • @MichalStefanow - Good point. And I actually missed the "because another phone does not work" in your edit, so sorry for that. On another hand I had the opportunity to test that my O2 plan does *not* do the same. Yet, I traveled from the UK to the EU. And, moreover, my O2 plan includes an international service, so they may have kicked in an international tethering into my plan. – grochmal Nov 01 '16 at 21:11
  • LOL, I think I have never been downvoted twice in a single day before, and on the same answer. I'm left to wonder what could be wrong with the answer since not a single downvoter did leave a comment. – grochmal May 05 '17 at 22:32
1

iOS devices use a separate APN for their personal hotspot functionality, so this gives an easy way for the carrier to know and block this usage. This APN is forced by a carrier profile, which are submitted to Apple by the carrier and iOS devices load the proper profile based on which SIM and MCC/MNC they're using. The profile can set which APNs are used and whether the user is allowed to edit them (I would expect them to forbid editing the personal hotspot APN in this case).

That's one way. The other way is to look at the TTL of the packets - it will be decreased each time the packet goes through a router. So for example when the phone is sending a packet directly the packet will leave the phone with a TTL of 64, where as when your computer is sending the packet to a router (or a phone acting as a personal hotspot) the phone will decrease the TTL by one before forwarding it to the cellular network. Network equipment at the carrier can detect that.

One other way is to discriminate based on the user-agent, but this is becoming less relevant today as most traffic is HTTPS which means the carrier can't decrypt the connection to look at the header. The other issue is that the reason for blocking personal hotspot is to reduce bandwidth usage, and there are other protocols (BitTorrent, SSH, etc) that don't have an user-agent field and could use even more bandwidth than HTTP does.

They could also simply pin your IMEI and prevent you from using any other phone, so for example if you've got an iOS device (which would be "protected" by the carrier profile preventing you from using personal hotspot), they can pin its IMEI and only allow that device to connect to the network, preventing you from using another device to bypass the limitation. Of course, spoofing the IMEI on another device would work around that - it's just like bypassing a MAC address whitelist on Wi-Fi.

By the way - your data is not really "unlimited", it's unlimited only as long as it makes them a profit (they can sell this "unlimited" plan for more than the limited ones). Try using terabytes worth of data and they'll quickly cut their losses and disconnect you.

André Borie
  • 12,706
  • 3
  • 39
  • 76