Android betrays tethering data

When I upgraded an Android device the other day, I found that tethering completely stopped working. The updated CyanogenMod had inherited a new bug from Android, informing the carrier that I was tethering. The carrier, Vodafone Italy, had decided to make my life miserable by blocking that traffic. I had a closer look and managed to find a workaround.

There is absolutely no difference, from a technical perspective, between data transmitted from a mobile device on-screen application and data transmitted from tethering. Revealing the use of tethering to the carrier is a massive breach of privacy - yet comments in the Google bug tracker suggest it is a feature rather than a bug. This little table helps put that logic in perspective:

Product Person who carries handset
User Mobile network who wants to discriminate against some types of network traffic to squeeze more money out of the Product
Feature Revealing private information about the way the Product uses his/her Internet so the real User can profit.

It is also bad news for the environment: many people are being tricked into buying un-needed USB dongle modems that will end up in the rubbish in 1-2 years time when their contract expires and the company pushes them to upgrade to the next best thing.

Behind the scenes

What does it really mean in practice, how does Android tell your carrier which data is from tethering?

As my device is rooted and as it is my device and I will do what I want with it, I decided to have a look inside.

The ip command revealed that there are now two network devices, rmmnet_usb0 and rmmnet_usb1. The basic ip route command reveals that traffic from different source addresses is handled differently and split over the different network devices:

shell@android:/ # ip route
0.0.0.0/1 dev tun0  scope link
default via 100.66.150.89 dev rmnet_usb0
83.224.66.138 via 100.87.31.214 dev rmnet_usb1
83.224.70.94 via 100.87.31.214 dev rmnet_usb1
100.66.150.88/30 dev rmnet_usb0  proto kernel  scope link  src 100.66.150.90
100.66.150.89 dev rmnet_usb0  scope link
100.87.31.212/30 dev rmnet_usb1  proto kernel  scope link  src 100.87.31.213
100.87.31.214 dev rmnet_usb1  scope link
128.0.0.0/1 dev tun0  scope link
192.168.42.0/24 dev rndis0  proto kernel  scope link  src 192.168.42.129

I then looked more closely and found that there is also an extra routing table, it can be found with ip rule

shell@android:/ # ip rule show
0:      from all lookup local
32765:  from 192.168.42.0/24 lookup 60
32766:  from all lookup main
32767:  from all lookup default

shell@android:/ # ip route show table 60
default via 100.87.51.57 dev rmnet_usb1
100.87.51.57 dev rmnet_usb1
192.168.42.0/24 dev rndis0  scope link

In this routing table, it is obvious that data from the tethering subnet (192.168.42.0/24) is sent over the extra device rmnet_usb1.

Manually cleaning it up

If the phone is rooted, it is possible to very quickly change the routing table to get all the tethering traffic going through the normal rmnet_usb0 interface again.

It is necessary to get rid of that alternative routing table first:

ip rule del pref 32765

and then update the iptables entries that refer to interface names:

iptables -t nat -I natctrl_nat_POSTROUTING -s 192.168.0.0/16 -o rmnet_usb0 -j MASQUERADE
iptables -I natctrl_FORWARD -i rmmnet_usb0 -j RETURN

This immediately resolved the problem for me on the Vodafone network in Italy.

Conclusion

If Google can be bullied into accepting this kind of discriminatory routing in the stock Android builds and it can even propagate into CyanogenMod, then I'm just glad I'm not running one of those Android builds that has been explicitly "enhanced" by a carrier.

It raises big questions about who really is the owner and user of the device and who is receiving the value when a person pays money to "buy" a device.

Comments

Sounds like a local political problem. I suggest all Italians vote in the next elections against this.

In UK&Ireland tethering is prohibited for pre-paid cards. At least in those agreements that I've read. It makes sense from companies' point of view as pre-paid cards usually are those that have "unlimited" data plan. Though, from my point of view I feel restricted, e.g., if I want to share my connection with other mobile phones that don't have data connection.

There is no technical reason for this, it is just another gimmick to force people into phone contracts even if they don't want to have a commitment. It can be easily worked around by adapting the phone not to reveal that traffic is from tethering.

this is nothing new (ISPs in days before cheap WiFi routers were common frequently specified 1 PC on home internet plans).

Tethering is asking the carrier to route data from multiple devices with your phone acting as a router forwarding packets. The solution given on the rooted phone is configuring NAT for the tethered traffic so it appears to be originated on the phone.

That's not a REAL privacy issue, being upset about potential charges, doesn't make it so. Being able to work round the carriers marketing men's ideas shows desirability of open devices.

I think that such a prohibition violates both net neutrality and common sense. Then somebody buys internet access, it should be limited only by speed and/or amount of transferred data. No record such as "you can only use it with given hardware/software" should be permitted. Can you imagine that your ISP allows WWW connections only from one, proprietary browser?

Restricting a phone on a budget plan to be a host device, not a router connecting potentionally another seperate network (perhaps with 100's of phones or PCs), does seem to me to be a valid restriction. Why should low traffic users pay to subsidise a few so called "hogs" or have restricted traffic?

That it is trivially circumvented on an open rooted device, shows why marketing types who develop payment plans, have a tendency to favour locked down devices.

Restricting a phone on a budget plan to be a host device, not a router connecting potentionally another seperate network (perhaps with 100's of phones or PCs), does seem to me to be a valid restriction. Why should low traffic users pay to subsidise a few so called "hogs" or have restricted traffic?

The user in question has obviously already paid for X amount of data. Why should the carrier care how many devices that X amount of data is split up over? Why should it even be allowed dictate terms in that regard?

Compare to buying a Pizza. No one in their right mind would be OK with the Pizza place saying that you cannot share the Pizza with your friends, that everyone has to buy their own even though they would be happy to share just one.

Not true (i.e. the blanket statement that "tethering is prohibited for pre-paid cards" is not true). And here's my counter-example: http://giffgaff.com/goodybags/10pound-goodybag (you'll see, in the 3rd paragraph from the end, the words "Tethering is permitted on £10 goodybag"). In fact, 3 of giffgaff's goodybags and all 3 "gigabags" permit tethering.

as you see I added a disclaimer "at least those that I've read". And for giffgaff I had read those for £20 goodybag that does not allow tethering. But it's good that they allow tethering at least for smaller limits.

Took a look at another provided, Three. It still does not allow tethering for pre-paid cards (http://www.three.co.uk/Privacy_Cookies/Terms_Conditions?site=d&content_a...), but there is 2GB tethering limit for few other pay-monthly plans and it requires to have some kind of software installed on the phone. Not to say, that the phone has to be supported for this software.

Giffgaff is a somewhat interesting example. They changed their tariffs (£10 for 1gb tetherable or £12.50 for unlimited non-tether) specifically to address tethering. I use the £10 goodybag and even with the occasional spot of tethering I don't get through 1GB a month.

This can be fixed permanently by changing the phone configuration (requires root).

Instructions at:

https://pmf.silvrback.com/fixing-tethering-on-android-kitkat

It's insane that this isn't the default setting.

What if the carrier does some smart analysis of the traffic, revealing desktop application usage...?

I highly doubt that that is legal at all.
<sarcasm>
But.. well.. if they do it to fight terrorism..
</sarcasm>

cyanogen is not the frienly beast you think it is

It would not make anything to hurt google, or advertirsers, or carriers

It probably didnt went in unseen... try sending cyanogen the patch... they will probably reject it....

somebody pushed some changes to spoof permissions, and they were removed shortly after arguing that advertisers wouldnt like this...

This was in the cyanogen 7 and andorid 2.x era... 2/3 years before going commercial

Just saying...

I have no root on my phone and I have Vodafone Italy blocking my tethering.
I open Google and search.

Without root you can use adb to open a shell use a simple command

settings put global tether_dun_required 0

Running stock KitKat 4.4.2 on T-Mobile in the UK with a rooted nexus 4.

No differential routing here


shell@mako:/ $ ip route show
default via 10.51.212.237 dev rmnet_usb0
10.51.212.236/30 dev rmnet_usb0 proto kernel scope link src 10.51.212.236
10.51.212.237 dev rmnet_usb0 scope link
173.194.65.188 via 10.51.212.237 dev rmnet_usb0
173.194.67.139 via 10.51.212.237 dev rmnet_usb0
192.168.42.0/24 dev usb0 proto kernel scope link src 192.168.42.129
192.168.43.0/24 dev wlan0 proto kernel scope link src 192.168.43.1
shell@mako:/ $ ip rule show
0: from all lookup local
99: from all to 10.103.181.170 lookup main
99: from all to 173.194.34.64 lookup main
99: from all to 10.51.212.237 lookup main
99: from all to 173.194.65.188 lookup main
99: from all to 173.194.67.139 lookup main
32766: from all lookup main
32767: from all lookup default

Please say Android version before upgrade, after upgrade. Also device name. I need it to reproduce the test. Thank you.

I have dealt with many annoying carrier-based blocks over the years with several US carriers, including on "carrier-enhanced" variants of Android.

However, I've never encountered such an issue with CyanogenMod, where tethering has always "just worked" for me. Right now, I'm tethering from the latest nightly build of CM11 for the Nexus 5 (aka hammerhead) and I do not have this split routing.

If this anti-feature of vanilla Android (from the user's perspective) was included in CM, it might have been an oversight rather than an intentional move. Have you been able to get any comment from the CM devs on this?

On the *other* hand, I can see why Google *might have* included this tether-discrimination flag in vanilla Android. If many carriers are insistent on discriminating against tethering traffic, it's probably better for end users if they all do so in a consistent way, rather than each hacking something into their own Android builds which may break other things in the process. Of course, this is about the most charitable possible interpretation of Google's move...

Aha, so this is why I was not able to tether with my current provider, even though it worked perfectly before!

The funny thing, is that the provider does not seem to know why this is happening (low cost, crappy provider). They are not trying to stop tethering, but they told me on the phone, they were trying to solve the issue...

I was about to make a blog post about this a while back, but I lacked information. This confirms my suspicion: it Google once again putting the interests of carriers ahead of their users' interests. Which is very sad.

Google's main interest is neither the carrier nor the user but themselves. That is how it has to be: the law says a company must act in the interest of the shareholder. Personally, I feel that Google would want to make tethering work because then users are online more frequently and that means they see more Google advertising. In this case, then, I suspect they either made a mistake or somebody pushed them to do it this way.

I would also like to report that, using the non-root requiring trick explained at http://vinhboy.com/blog/2013/12/27/how-to-tether-the-nexus-5-on-t-mobile/, I was able to get tethering to work. Finally!

Ah, and there is a android-tools-adb package in Debian, so you don't even need to download the ginourmous Android SDK.

Thanks for sharing the hack, have re-blogged here. http://www.demonstech.com/2014/04/tether-your-way-with-android.html