We reported that AT&T was cracking down on tethering 3 weeks ago, and it looks like they're up to it again. Based on forum comments, we've summarized what we're seeing from AT&T.
The first round appeared to be users on AT&T unlimited data plans that used more than 10GB of data in March. The latest round appears to be similar users using more than 5GB in March. It appears AT&T is on a data witch hunt. We've seen the message sent to users who simply use a lot of bandwidth (and never even tether/jailbreak) as well as users that use unauthorized tethering. What's most shocking is that many users have reported calling AT&T and were asked if they were using Netflix, Pandora, etc. Some have been told that using those services is the definition of tethering. We're not sure if this is coming down from the AT&T top, or if this is simply non-technical AT&T customer service reps that are confused about what tethering is. However, based on the number of user reports, and the chances that users are very likely reaching different reps, this seems like deliberate AT&T rep training. Seemingly unethically, many customers are being convinced to pay for a tethering plan when they're in fact not tethering at all.
For users that have been wondering, here's some analysis and summarization of posts across the forums:
- Some users who never have jailbroken have stumbled upon our forums and have reported that they have received the infamous "Did you know tethering your Smartphone ....?" texts.
- Users of MyWi, PDANet, and TetherMe have received the texts.
- Users are of all iOS's versions (at least we've seen 3.1.3 - 4.3). There's no iOS version pattern.
- Only unlimited data plan users are receiving the texts.
As AT&T is only pursuing unlimited data plan users, it seems this is most likely a data witch hunt rather than anything else. Obviously, if AT&T starts pursuing 2GB capped plans, then I think the perspective changes. It may simply be that they're chasing the biggest users right now.
Need To Know Information on Tethering
We've got a fairly techy community here, and users have been speculating all sorts of ways AT&T could be monitoring. We wanted to clear up some of the misinformation:
- HTTP User Agent: As some AppStore apps allow different user agents, this is not a 100% positive indiciator.
- DNS entries: Your tethered OSX/Windows computer hits specific entries like windowsupdates.microsoft.com. This is a pretty good indicator that your tethering with an OS other than iOS. While you could argue that you could point your browser to these URL's, that doesn't explain why data was transferred back and forth. (If you want to make an app that you can install on your iPhone that simulates the communication of Windows update chatter and send that to AT&T as an explanation, we wish you luck!). This does not apply for iPad to iPhone tethering of course.
- Content: Your Safari browser won't download Flash. Given that Flash is in widespread use, most pages you visit on a tethered PC will access Flash content. However, this is also not a 100% positive indicator as you could have installed comex's awesome Frash.
- TCP signatures: OS's have specific ways of ack/nack, TTL (time to live) start, congestion, and more for TCP requests/responses. It's possible to guess at the OS based on these signatures. However, because the tethered device is behind the NAT, active fingerprinting is not possible. Passive fingerprinting is possible if the tethering app is not completely rewriting the packets, using elements like OS IPid patterns, ttl, and others.
These seem to be the 4 big mentions - with the DNS entries to OSX/Windows updates being the most vulnerable (and probably least likely to be used). We're guessing it's probably #4. While that's probably the most network appliance intensive, it appears AT&T only has a few huge pipes for it's 3G network traffic to go out of, so there's not many places this needs to be done. Unless of course it's PURELY based on the amount of data - possible, since users are asked if they "use Netflix or Pandora."
We'll do a roundup on what each of the tethering apps do with respect to TCP signatures, as we're strongly convinced AT&T's data witch hunt has no merit (again, evidenced by many users that don't tether at all receiving those "nasty" messages simply because they have an untethered plan and are using > 5GB per month). We'll have another article with our analysis of tethering apps TCP signatures in the next few days!