@briankrebs There is a great FOSS tool for detecting such tethering setups on the carrier side: https://en.m.wikipedia.org/wiki/P0f
We used it many years ago to detect freeloaders on a dormitory network which had per-user monthly fee. :)
I am mentioning it here so that those interested can look at some of the more advanced techniques for passive OS fingerprinting, by examining p0f's source code.