A recent study by four UCLA computer science researchers documents what some wireless data customers have long suspected -- that users can be charged for wireless data they never received.
In the most extreme case of overcharging, an unnamed carrier charged the researchers for 450 MB of data that they didn't receive.
In the study (download PDF), the researchers also describe their hacking into Domain Name System servers at two unnamed wireless carriers to be able to send data at no cost.
The researchers said they transferred 200 MB from an Android device for free by using the DNS hack, and added that they could have sent as much as they wanted.
The study team was headed by UCLA computer science doctoral candidate Chunyi Peng.
In both the cases of overcharging and undercharging, the study concluded that "the root causes lie in lack of both coordination between the [carrier] charging system and the end device, and prudent policy enforcement by certain operators."
The UCLA team published a 12-page paper on the study in August. Team leader Peng presented the paper at MobiCom '12 in late August in Istanbul, Turkey.
The study didn't assess how widespread the overcharging is across entire networks.
The authors recommended that carriers make changes in network architectures to take account of data usage feedback from end user devices, and make policies ensuring that only data used is charged for.
The study noted that Cisco has proposed a form of overcharging protection.
The researchers also called for further study of the issue by the research community, noting that the data charging system used by U.S. wireless carriers "mostly works as a black box for users. Users do have questions and concerns."
One question on the minds of many customers is how to determine whether a carrier's bill overcharges for data access not received, the researchers noted.
The study looked at two unnamed U.S. wireless carriers with 3G networks, and separately compared a third U.S. carrier with two others in China and Taiwan.
The team said the results are also applicable to 4G networks such as LTE.
The tests were conducted using a free app from Google Play called TrafficMonitor to log data usage, along with a custom tool built by the UCLA team.
In terms of overcharging, the study found that accounting standards of carriers do not take feedback from end user devices. Data packets can be lost in a cellular network, and can be counted as being sent by the carrier even if it was never received by the user device, the study said.
The highest overcharge was for 7.2% more data charged for than used. That overcharge resulted from a user watching YouTube videos on a train that traveled through a long tunnel that lacked cellular signals.
Seven university students conducted field tests.
The researchers also conducted laboratory tests of five applications run over wireless networks, ranging from Web browsing to Skype to YouTube to video streaming over VPN tunnels.
Peng said in an interview that the charging practices of carriers "works correctly in most cases, while in extreme cases, the gap [between data sent and data received by an end user] can be big." Hence, the overcharging, she added.
"The 'unfair' charge happens to mobile users in extreme cases such as during video streaming while the link is suddenly broken," Peng said.
Peng said that she believes customers should be charged for data actually received on a smartphone or tablet, even though carriers must pay to send data that only goes part-way to a recipient.
An electricity or water bill is based on how much electricity or water is "actually used at my house, not the amount sent from the power or water supplier," she noted as a comparison. "Operators have a big investment in the core infrastructure and who should pay for the efforts for data transmission is worth exploring further."
To gain free access to wireless data networks, the researchers took advantage of an existing free Domain Name System service that transmits DNS data (for coordinating Internet servers globally) via transport-layer port number 53.
"There is almost no enforcement mechanism to ensure that the packets going through this port are indeed DNS messages," the study said. "Even worse, no effective mechanism exists to limit traffic volume going through this port."
To accomplish the hack, the UCLA team built a simple prototype proxy server to offer data services, such as file downloads or video streaming, to relay data over the free transport-layer port, similar to calling an 800 voice line, but for data.
Data packets were encapsulated as DNS messages, which traversed the 3G networks of both carriers free of charge, the researchers found. The researchers argued in a footnote that the data wasn't stolen because they had an unlimited data plans from the carriers involved.
The researchers ran several scenarios more than 10 times apiece at a data rate from 100 Kbps to 1 Mbps and obtained a total of 200 MB of free data, in all, with the hack.
"We don't think it is difficult to take advantage of the free data through DNS approach," Peng said in an email exchange with Computerworld. "It does require some basic networking knowledge."
She said there are applications available in Google Play to help configure a proxy for the hack, but didn't elaborate.
Peng asserted it would be "very easy" for wireless carriers to fix the loophole that makes the hack possible by simply taking away free DNS service. "There is no strict enforcement to verify if all the data are real DNS messages," she said.
The data overcharging claims in the study are timely because both Verizon Wireless and AT&T recently instituted data sharing plans that impose several tiers of shared data with a monthly cost. Both plans have an overcharge fee of $15 a gigabyte over the monthly limit.
Asked to comment on the study, a Verizon spokesman said the study appears to have examined only carriers using GSM networks, not CDMA, such as Verizon.
Verizon did not participate in the study, the spokesman said.
"I can tell you that Verizon Wireless is vigilant in these matters [raised in the study]," said Verizon spokesman Tom Pica. "We regularly monitor and audit our billing systems to ensure fairness and accuracy."
AT&T, which runs a 3G GSM network and is building a 4G LTE network, declined to comment on the study.
The CTIA wireless association, which represents all the major carriers in the U.S. and some from abroad did not respond to a request for comment.
Sprint, the nation's third largest carrier, touted its unlimited data plans for its wireless customers on the Sprint network in response to the UCLA study.
Data pricing from Sprint's competitors "is already complex, driving customer worries about incurring data overage," a Sprint spokesman said. Using unlimited data on the Sprint network "eliminates the worry of any data overage charges."
Matt Hamblen covers mobile and wireless, smartphones and other handhelds, and wireless networking for Computerworld. Follow Matt on Twitter at @matthamblen, or subscribe to Matt's RSS feed . His e-mail address is email@example.com.