The highest overcharge was for 7.2% more data charged for than used. That overcharge resulted from a user watching YouTube videos on a train that traveled through a long tunnel that lacked cellular signals.
Seven university students conducted field tests.
The researchers also conducted laboratory tests of five applications run over wireless networks, ranging from Web browsing to Skype to YouTube to video streaming over VPN tunnels.
Peng said in an interview that the charging practices of carriers "works correctly in most cases, while in extreme cases, the gap [between data sent and data received by an end user] can be big." Hence, the overcharging, she added.
"The 'unfair' charge happens to mobile users in extreme cases such as during video streaming while the link is suddenly broken," Peng said.
Peng said that she believes customers should be charged for data actually received on a smartphone or tablet, even though carriers must pay to send data that only goes part-way to a recipient.
An electricity or water bill is based on how much electricity or water is "actually used at my house, not the amount sent from the power or water supplier," she noted as a comparison. "Operators have a big investment in the core infrastructure and who should pay for the efforts for data transmission is worth exploring further."
To gain free access to wireless data networks, the researchers took advantage of an existing free Domain Name System service that transmits DNS data (for coordinating Internet servers globally) via transport-layer port number 53.
"There is almost no enforcement mechanism to ensure that the packets going through this port are indeed DNS messages," the study said. "Even worse, no effective mechanism exists to limit traffic volume going through this port."
To accomplish the hack, the UCLA team built a simple prototype proxy server to offer data services, such as file downloads or video streaming, to relay data over the free transport-layer port, similar to calling an 800 voice line, but for data.
Data packets were encapsulated as DNS messages, which traversed the 3G networks of both carriers free of charge, the researchers found. The researchers argued in a footnote that the data wasn't stolen because they had an unlimited data plans from the carriers involved.
The researchers ran several scenarios more than 10 times apiece at a data rate from 100 Kbps to 1 Mbps and obtained a total of 200 MB of free data, in all, with the hack.
"We don't think it is difficult to take advantage of the free data through DNS approach," Peng said in an email exchange with Computerworld. "It does require some basic networking knowledge."