A team at the University of Michigan and Microsoft Research has uncovered, for the first time, the frequently suboptimal network practices of more than 100 cellular carriers.

By recruiting almost 400 volunteers to run an app on their phones that probes a carrier’s networks, the team discovered, for example, that one of the four major U.S. carriers is slowing its network performance by up to 50 percent. They also found carrier policies that drained users’ phone batteries at an accelerated rate, and security vulnerabilities that could leave devices open to complete takeover by hackers.

For decades, researchers have studied “middleboxes”—the network hardware that Internet service providers (ISPs) use to ferry packets of data from one endpoint to another. But the current work, by Zhaoguang Wang of the University of Michigan and colleagues, titled An Untold Story of Middleboxes in Cellular Networks, is the first significant attempt to apply this kind of research to cellular networks worldwide.

To gather data on so many networks, the researchers released their testing tool, NetPiculet, on the Android app marketplace. Volunteers downloaded the app, which ran a series of tests and sent the results back to the engineers who created it. It’s not the first time researchers have relied on everyday users to help gather data, but it’s one of the most elaborate testing suites ever used in an experiment of this kind. “We released NetPiculet on the Android Market in January 2011 and attracted 393 unique mobile users within merely two weeks,” says Z. Morley Mao, one of the University of Michigan researchers who participated in the work.

One of the first things the researchers discovered was the apparent handicap on network speed imposed by a major U.S. carrier. (For legal reasons, the team anonymized its data.) Surprisingly, packets of data sent across this network are buffered by the carrier itself. This means that when a packet of data fails to make it to its destination—a common occurrence on noisy wireless networks—it cannot be instantly retransmitted, as it would normally be on the Internet. Instead, the sending device must wait a long time—on the order of seconds—for a time-out to alert it to the failure.

On a one-megabyte download, this slows transmission rates by up to 50 percent, the researchers report. The team suspects that the carrier is doing this buffering so it can perform deep packet inspection on the data sent through its network, says Microsoft Research engineer Ming Zhang, who contributed to the paper. This would mean that the carrier is actually reconstructing the data it transmits, possibly for examination for malicious code. Zhang cautions, however, that the team found no direct evidence that the carrier is doing this inspection; it’s merely the most logical explanation.

Other carriers, all of them outside the U.S., proved to have significant security vulnerabilities in their networks. The most insecure network allowed “IP spoofing,” in which an attacker disguises his own device’s network address as the address of another device. This allows the attacker to both send illicit data to a user’s mobile device and to download data under that IP address.

A second, less severe vulnerability on some networks allows malicious websites to entrap users. Normally, a user can simply close a browser that appears to have landed on a piece of malware, but in some networks a time lag between when a TCP connection is closed on a device (instantly) and on the network (a delay of 20 to 30 seconds) could allow an attacker to keep that connection open indefinitely. This could enable battery-draining attacks in which, for example, a hacker continually streams data to a device.

Eleven of the carriers tested had implemented policies that could drain the batteries of a user’s phone up to 10 percent faster than usual. Many devices must keep TCP (network) connections open for long periods of time to make e-mail and other “push notifications” work. Mobile ISPs that time out these connections too quickly—say, every 10 minutes versus every half-hour—force devices to power up their radios more often, to reestablish a connection.

Ratul Mahajan, a Microsoft Research researcher who was not involved with the paper, contends that this network behavior might be deliberate. Long time-outs, although good for phone batteries, can exhaust the network address translation table that a network middlebox uses to keep all those connections active, he says.

Hossein Falaki, a doctoral student at UCLA, says some of the findings in the paper are probably going to be new even to cellular carriers. This could result in carriers changing their network policies, and the implications of such changes aren’t always clear until they have been tested in the wild.