How to Hide Tethering from Your Mobile Operator

TLDR:

1. Use a secure VPN to prevent DPI
2. On your laptop, change packet TTL to 65 (iOS default 64 plus one).

•••

On my recent mountain biking trip to France I accidentally booked an Airbnb without WiFi. Bummer. But hey, 5 minutes of googling and I found a perfect eSim provider that offers unlimited data for only €19/week. Who needs slow DSL-based WiFi in the apartment, when you can have 4G everywhere?

After placing an order and scanning the QR-code landed in my inbox I was up and running in 30 seconds (gosh I love eSim). SpeedTest showed a strong 65 Mbit/s connection. Perfect. The only problem was - the “personal hotspot” mode didn’t work at all. As it turns out (after reading the small grey text at the bottom of their landing page) the operator does not support data sharing on unlimited plans.

Challenge accepted. Let the hacking begin.

How do mobile carriers detect "personal hotspot"?

In short: by deep packet inspection and TCP/IP stack fingerprinting. And sometimes, your iPhone rats on you too.

DPI means looking "inside" a network packet and analysing its content. For example, looking at your browser’s “user-agent” header for non-SSL connections. Or examine the traffic destination - if your “iPhone” suddenly sends requests to "Windows Update" servers, well, then it’s probably not exactly an iPhone, huh?

All these traces can be hidden by using a secure VPN to encrypt the traffic. I installed the free "1.1.1.1" app from Cloudflare, that hides my packets' content, my DNS requests and the destination IPs. All my traffic now goes to a single VPN server in Oslo, Norway.

That didn't work. The laptop still had no internet connectivity, while the phone worked perfectly.

Fine. Let’s check the APN settings assigned by the network. Sometimes it instructs the phone to use a different APN address for tethering. Quick check at "Mobile data - Data plan - Mobile data network" - nope, the APN for “personal hotspot” and “mobile data” were the same.

What should I try next? After 5 minutes of staring at the ceiling I suddenly remembered how ages ago, during my network admin internship days, my supervisor once tought me this trick. "Hey, did you know you can tell which OS a machine is running by sending a simple PING?" If the response says "TTL 128" - it’s Windows, if it says "TTL 64" - it’s Linux.

A-ha! That’s probably how the ISP can see that I'm on Windows.

Seems logical, if the mobile operator can't look "inside" the VPN-encrypted packet, their last resort would be the packet’s "meta" data. Which can reveal the operating system's default TCP/IP settings. And "TTL" (time-to-live) is one of the strongest hints of all. So I edited my laptop’s registry settings, set TTL to 64 - to mimic iOS - sat back and prepared to enjoy my high speed Internet.

Nope. Darn. It must be something else.

OK, but what is TTL - "time-to-live" - exactly? It means how many “hops” a packet can “survive” before being dropped. And every time a packet passes though a router - its TTL is decreased by one. And my iPhone is exactly that - an extra “router” on the packet’s journey. Meaning, once my packets pass though the iPhone hotspot their TTL becomes 63. Bingo. That’s how the provider can tell. My TTL is an odd number.

Setting it to 65 will make it 64 once the packet passes the iPhone. So now my packets are indistinguishable from the iOS “native” traffic.

Aaaa-nd boom! It worked. I'm proudly writing this post using my laptop. Enjoying some Netflix on the background.

Being an IT engineer is like having a cheat code to life.

P.S. Sometimes your iPhone refuses to turn on personal hotspot in the settings, saying it’s operator-disabled, but you can still force-enable it from the control-center.