T-Mobile appears to be manipulating network traffic from users accessing the Internet through the wireless hot-spot functionality of their Android device:
For background: ever since carriers began offering data connections to mobile subscribers, consumers have been trying to use these same pipes to get Internet access from other devices they might be carrying, such as their laptop. Over time different options emerged to connect these secondary devices and phones to accomplish this. In the beginning were USB cables, originating the concept of “tethering” with overtones of being tied down. Along came Bluetooth with the Personal Area Networking (PAN) profile, cutting the cable metaphorically. Final step in this evolution was the wireless hotspot, first introduced in Android 2.2 “Froyo” release and eventually taken up by the iPhone. In this model the phone acts as a wireless router, offering a wifi network. Instead of messing with cables or working through the ever-inconsistent implementations of Bluetooth pairing, users connect to this wireless network much like they would at a hotel, and get to access the Internet by tapping the same data connection they have already paid for as part of their cell phone plan.
At least that is the theory. The above screenshot is what happened in a recent session when attempting to navigate to www.youtube.com from a laptop connected to the wireless hotspot of a Galaxy Nexus running JellyBean. As the screenshot demonstrates, this is not exactly what the legitimate YouTube website looks like.
This is not exactly new. Carriers have been frequently at odds with their own users over tethering. Most recently Verizon got a shellacking from the FTC in a recent settlement ruling that the carrier can not keep customers from downloading tethering apps. AT&T meanwhile has resorted to stalking users with SMS when they start tethering on jail-broken iPhones. T-Mobile seems to have taken matters into its own hands by actively manipulating and blocking traffic. The carrier is using an explicit redirect, as the address bar shows a T-Mobile URL instead of the original location. This is accomplished by returning an intermediate response to the request for YouTube, redirecting the browser to the T-Mobile site instead. (With more nefarious transparent interception, T-Mobile could have returned the same bogus response while impersonating the original site the user expected to visit.)
Two consistent features of this based on initial observations:
- Traffic manipulation does not commence immediately on connecting to the hot-spot, but only after some time has elapsed, or equivalent some bandwidth consumed. After that point all subsequent requests are tampered with, returning the above page. For what it’s worth, a quick check on Android settings shows the total data used before reaching this point was ~100MB:
It is not clear what heuristics T-Mobile is using for detection. One article claims carriers rely on the TTL (time-to-live) field in IP packets, which is different for packets taking an extra hop through the phone a”router” verses directly originating from the phone itself. At least TTL is part of the packet header. A more disturbing possibility would be deep-packet inspection, where carriers are looking at content of packets. There are plenty of signals inside an HTTP request that permit easy identification of tethering scenarios. For example, if the HTTP user-agent header indicates the browser is IE9 running on Windows 7, chances are this is not coming from an Android phone.
- Blocking is not attempted for pages accessed over SSL– in other words URLs starting with https. This is not surprising, as the SSL protocol carefully verifies the identity of the destination website using digital certificates. Any attempt by T-Mobile or other aspiring censors to masquerade as the legitimate site will result in a certificate error from major web browsers. Increasingly the UI for such errors is designed to be very difficult for even the unsuspecting user to ignore or bypass. It appears that T-Mobile made a conscious trade-off in condoning SSL usage and only tampering with unprotected HTTP traffic to display their advertising/upsell message. (Score another victory for HTTP Strict Transport Security or HSTS; websites such as GMail which can be configured to be always accessed over SSL are not affected because the web browser will use the HTTPS version even when a plain HTTP link is given.)