Many individuals have taken to using their smartphones as broadband connections for other devices such as laptops and netbooks in a process commonly known as "tethering". As far as convenience goes, the benefits are pretty clear: a single, portable Internet access point for use with whichever device is most readily available at the time.
Unfortunately many providers in various countries have taken steps to either reduce or profit from this activity by either making tethering a violation of their terms of service, or offering a separate "tethering package" - which essentially amounts to making you pay an additional service overhead whenever you want to use your phone as a modem for another device.
Legality and ethics aside, this article isn't meant to focus on the why, but rather on the how. Specifically, how can they tell you're tethering, and what can be done to circumvent it? We'll approach these one at a time.
How can they tell?
All IP packets have a field known as the TTL. This stands for the Time To Live. Every "hop" a datagram takes from one router to the next on the way to its destination reduces the TTL by one. Once the TTL reaches zero, the packet is dropped.
This functionality was implemented so that packets affected by some routing error and which find themselves going in a circle will eventually simply disappear as soon as their TTL reaches 0, instead of snowballing into a packet storm. All routing devices do this, and generally it's a Good Thing.
All operating systems have a standard TTL set on outgoing datagrams up to a maximum possible value of 255. Let's assume that both your Windows laptop and your iPhone have a TTL of 128. When you connect to the Internet directly from your phone, the data packets leave the device and hit your network provider's router (the first hop) with a TTL of 128. The router will decrement the value by one to 127 as the packet leaves their network on its way to the Internet.
On the other hand if you're connecting from a laptop using your iPhone, the phone itself is acting as a router and any packets originating on the laptop will have a TTL of 127 as soon as they hit your provider's router. In this way they can see that there was an additional network hop before the packet reached them, and from this they logically deduce that the iPhone is tethered to a laptop/notebook/whatever.
Okay, so how can we get around that?
The most obvious solution is to modify the TTL of the datagrams at their source. If, as in the example above, the TTL on your iPhone is set to 128, changing the default TTL on your laptop to 129 will mean that after the value is decremented by your phone, the provider will receive a packet with the expected TTL of 128. To them it will appear as though you're browsing directly from your phone.
Unfortunately there is one caveat: If the TTL on your mobile device is set to 255, I'm afraid you're shit-outta-luck. Seeing as the TTL is an 8-bit field in IPv4 packets, it can only accomodate 256 possible values: 0 - 255. You cannot possibly set it to 256 on any device ever. Fortunately in most circumstances this is not the case.
According to Deutsche Telekom Laboratories (PDF), "The default IP TTLs of popular MHDs (mobile hand-held devices) differ from those of the most commonly used home OSs. The default TTL of iPhones/iPods and Macs is 64, Symbian uses 69, while Windows uses 128. This enables us to separate MHD usage from regular PC."
To modify the default TTL in Windows, do the following:
- Click on Start and Run (or Search) and type "regedit" to open the Windows registry editor.
- Navigate to the following registry key: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
- In the right-hand pane, right-click and select "New - DWORD (32-bit value)" and set its name to "DefaultTTL" and its value to anything between 0 and 255.
A few last thoughts.
Already a few possible questions pop up in my head.
"Why not just spoof my User Agent when browsing?" I have always been and remain against spoofing of User Agents. Not only does it damage the efficacy of legitimate browser statistics, but it simply does not work. It's like a burglar who begins to meow after being caught red-handed in the hope that you'll assume he's a kitten and leave him alone. Any device, application or extension that promises to protect you by spoofing your UA is snake oil.
"Isn't there some other way that they can tell?" Frankly yes, but you don't need to worry about it. This would require deep packet inspection, and for any ISP who would benefit from disallowing or charging for tethering, DPI would be prohibitively expensive.
"Can I get in trouble doing this?" No. Changing the default TTL on your laptop/netbook/PC is absolutely not prohibited by any law. Just don't e-mail your mobile provider boasting about how you "cleverly" circumvented their tethering policy. You'll find your contract voided painfully fast.
"Can I damage my computer or my network doing this?" As long as you don't set the TTL inordinately low nor go out of your way to do stupid things with firewalls, you'll be fine. Imagine a TTL set to 5 and after a 4-hop loop the packet arrives back at your router. The loop will continue indefinitely until you reboot the router.
In summary, TTLs are serious business!
Good luck and have fun!