Tuesday, December 1, 2015

Good Karma, Bad Karma

1/18/2016: Karma has fundamentally changed their Neverstop plan.  Unless for minimal usage, it's no longer suitable for home use: Neverstop Changes

1/7/2016: Karma has started throttling without warning. I would hold off signing up until they figure out their service.  Speeds dropped to 1.5Mbps (see comments at the bottom)

A Semi-Organized Brain Dump

On November 5th, a company named Karma announced their new Neverstop cellular data plan.  I'd never heard of Karma, but the announcement was echoed on several tech sites I follow.  Karma had previously offered a pay-as-you-go plan, now called Refuel, but Neverstop promises unlimited data at a capped speed of 5Mbps. Good Karma.  They have their own custom hotspot called Karma Go that has a somewhat unique selling point:  other Karma users can connect to your hotspot and you get a credit: either 100MB of data or $1, depending on your plan (thus, the name 'Karma').  This benefit doesn't interest me, but since my current and only Internet option is 3Mbps DSL from Centurylink, the unlimited 5Mbps made me look at Neverstop closer and sign up.  It took about 2 weeks for the hotspot to ship, then another week in transit.  The day before its scheduled delivery, I found that Amazon Prime has it.

My intent is to basically replace my DSL modem with the Karma hotspot.  Since the hotspot is wifi only, I knew I'd need a wireless bridge from the hotspot to my router's WAN.  I had this hardware already.  Connecting all my devices to the hotspot directly isn't possible since I have many wireless devices and some devices that are wired only.

The Cell Network

Karma is a MVNO that uses Sprint's 4G LTE network with fallback to 3G CDMA.  I've seen people complaining about this due to Sprint's infamous coverage issues, but Karma makes no secret about which network they use.  They have conspicuous links to coverage maps, and the Karma Go hotspot has a 45 day free returns policy.  In my case, I have line-of-sight to a Sprint cell tower about 1 mile from my house, so getting a strong cell signal isn't an issue for me.

Connected Device Limit

The other limit they make apparent is Neverstop only allows you to connect 3 devices at a time to the hotspot. When a fourth device connects, one of the other devices can be disconnected.  This also wasn't a big concern for me since my intention was to use a wireless client bridge to connect my wireless router to the hotspot (more on this below). Then all of my dozen+ devices, wired and wireless, would connect to my wireless router as they do currently.  I'd still be limited to 5Mbps, but Karma's hotspot would only have a single device connected: the wireless bridge. Prior to knowing the additional limitations below, I asked Karma on Facebook if it was possible to connect a wireless bridge. They replied "As for using a WiFi bridge, you technically can, but they don’t work very well in our experience. We extensively tested them in combination with Karma Go but it is more frustrating than helpful." I figured even lackluster performance would still be able to handle 5Mbps. It was worth a try.

The issue I found is that disconnecting devices doesn't seem to work.  When my fourth device attempted to connect, I was given a list of 'connected' devices, each with a 'Pause' button.  The first issue is that the hotspot only had 1 active wifi connection; The other devices listed were not actually connected.  Even worse, the 'Pause' button doesn't work: the page seems to reload, but the same devices are still listed and my fourth device still can't connect in place of another device.  So, I'm currently unable to connect another device to the hotspot.  I've emailed Karma support but haven't found a solution. (Update: After several days, they remotely cleared all the sessions/MACs from my hotspot.)

I typically shouldn't need more than 3 devices connected to the hotspot, but my fourth device is my cell phone, which is needed to run the hotspot's limited administration app and must be connected directly to the hotspot's wifi for full functionality.  The app only allows very limited admin of the hotspot: turn off, restart, and allows the wifi SSID to be changed to 1 of 4 canned names that have combinations of your registered first name and 'Karma' (default: "Karma WiFi").  It shows status info like currently connected devices (which is flakey and updates slowly), the hotspot's battery level, and cell signal level. So, the device limit wouldn't be an issue if it actually worked.

Web Browser Requirement

This limitation surprised me and I didn't discover it until after receiving my hotspot: Devices must have a web browser to connect to the hotspot.  After connecting to the hotspot, devices have to log in to a Karma account to get Internet access.  This isn't really a 'secret', but they don't advertise this like the details above.  It's mentioned if you dive into their full FAQ, but it's not disclosed in their announcement, their sign-up process, the main page, nor their How It Works page, which has an abbreviated FAQ.  Karma states that one of Neverstop's appropriate uses is streaming, which to me suggests the option of a dedicated device like Roku or Chromecast, neither of which have browsers.  I feared this requirement would prevent me using a wireless bridge, despite Karma's Facebook response indicating it was possible.

Unencrypted WiFi

Yeah, wow, a big surprise.  The hotspot's wifi is completely open: no WPA/WPA2.  I haven't found this disclosed in any of Karma's information, other than "Use HTTPS for sensitive stuff".  Most of the warnings about using public wifi at coffee shops, hotels, airports, etc apply here:  unencrypted wireless signals can be captured and viewed by evil-doers.  When I contacted Karma about this, they explained that the lack of encryption is needed to allow their hotspot sharing and that I should use HTTPS to access sensitive sites.  No thank you.  Even if a site does it correctly, HTTPS will hide passwords, but the site I'm connecting to (bank.com, etc) will still be visible.  Also, I'm not sure someone 'sniffing' the wireless connection during the HTTPS connection negotiation couldn't still do something nefarious.  Regardless, I find this irresponsible, at best.  I don't plan on travelling with the hotspot, so someone would have to be near my house to sniff my connection.  There is a workaround though: VPN.  This probably isn't for inexperienced users. It will be an additional charge from a VPN provider, and your connected device has to support it. However, it's an option to encrypt communications through the hotspot.  I don't have experience with this type of VPN, but I've found a couple of providers with local VPN servers that I will probably try.  My hope is that I can get something in the $5 / month range without impacting my connection speeds.  Fortunately, my router (ASUS RT-N66U Merlin firmware) has support for several types of VPNs, including OpenVPN, so this should be transparent to my network devices.  Karma's marketing spiel on their website makes a big deal about transparency, no fine print, and no asterisks.  They follow this for the network coverage and device limit, but fail on what I consider big ones: limits on types of wifi devices (web browser) and this complete lack of encryption. Bad Karma. (Update: more reasons HTTPS isn't always safe)

Gory Details

After a bit of experimentation, I have some idea of how it works.  It's not made apparent, but as is standard with routers, the hotspot uses MAC addresses to track connected devices, aka MAC filters.  When a new device connects, it's initial web access gets redirected to hotspot.yourkarma.com, which resolves to IP -- the local IP of the hotspot itself.  After logging in with your Karma account credentials, your device's MAC is 'registered' on the hotspot. Also, your device then shows up in Karma's mobile app as a connected device with the name "Your [description]".  I'm fairly sure the description is being scraped from the HTTP user-agent header when connecting to hotspot.yourkarma.com.  For example, my Windows laptop is "Your Windows". My cell phone is "Your LG D800".  These terms appear in the device's user agent strings.  You can see what your browser is sending here.  The fun part is that the user agent strings can be modified with browser add-ons, more on that below.  I've not found any way of removing a MAC from the hotspot's list, or even viewing the list of saved devices.

My primary router is an ASUS RT-N66U running Merlin firmware.  For a wireless client bridge, I'm using an old router, a Linksys WRT54GL with Tomato firmware, configured to run as a wireless client bridge instead of a wireless router.  I think most wireless routers may support this mode, especially since there's no wifi security. It doesn't seem to impact performance, but note there's 3 levels of NAT:  the hotspot, the Linksys, and the ASUS.  It works despite feeling dirty; A future to-do.

I bypassed the web browser requirement by 'registering' my wireless client bridge (the Linksys) prior to connecting it to my primary router.  I connected my laptop to the Linksys router via an ethernet cable to configure its wireless client mode and connect it to the Karma WiFi.  With my laptop still connected via a cable, I could then go to hotspot.yourkarma.com with my laptop web browser and login to my Karma account.  The hotspot saw the MAC of the connected wireless client bridge, so that's what it registered.  Per above, I also changed the browser's user agent string to have the model number of the router, "WRT54GL" in place of "Windows", but the registered device description shows up as "Your Compute" (sic).  This was the second wireless client bridge I'd registered (I'd used a different older router first, don't judge) but I hadn't changed the user agent the first time; It showed has "Your Windows".  I initially suspected they may have a dictionary of common device names, like "Windows", but I can't imagine they would have every cell phone models like "LG D800" that was displayed for mine. Oh well.

After logging in to my Karma account on the laptop via the wireless client bridge, I then simply unplugged the ethernet cable from the laptop and plugged it into the WAN port of my primary router in place of the DSL modem.  No configuration changes to my primary router were necessary. It pulled a DHCP IP from the wireless client bridge, and Bob's your uncle.

So, what about browser-less devices that already have wifi, like a Roku or Chromecast?  I haven't tried this, but it should work in theory: spoof the device's wireless MAC address on a device that has a browser.  This is for advanced users, obviously, and not all wireless devices allow MAC addresses to be changed.  My Windows laptop allows the wired MAC to be changed, but is finicky about the wireless MAC generally.  I think this depends somewhat on the Windows version.  Google is your friend.  Linux is probably an easier option if you have it, even if it's a desktop with a cheap USB wireless dongle.  Or, a Linux virtual machine with network bridging on a Windows machine that has wireless.  Changing the wireless MAC on a wireless client bridge may also be an option, especially if it has custom firmware.  MAC spoofing is usually an option on the router WAN port, but I'm not sure on the wireless interface.  Just be sure to change the MAC back to the default so that it doesn't collide with the MAC of whatever device you're spoofing. As I said, not for the faint of heart. (Clarification: Note that MAC address spoofing is only needed if you're connecting a browser-less device directly to the hotspot.  I did not do that, so I did not have to spoof MACs)


My setup has been running for less than 24 hours, so total system performance experience is limited.  My speed tests didn't seem to suffer when connected to the primary router vs the hotspot directly. It's only 5Mbps, so I wouldn't expect it to.  Best case average over the past few days with speedtest.net is probably around 70ms ping time, 4.8 - 4.9 Mbps down and 4.9 Mbps up.  The speed limit appears definitely artificial, because it will bounce well above 5Mbps for very brief periods during a speed test, especially during upload tests.  The speed tests aren't consistent though, so no decision if this is a worthy replacement for 3Mbps DSL.  Netflix performance will probably be the ultimate decider.

Exercise for the Reader

 Per above, the hotspot is wifi only; There's no wired network port.  I'm curious if the chipset that the hotspot uses supports a wired connection.  The FCC ID is P46-MXL655.  There's internal photos of the device but I can't make out the part numbers on the ICs.  Maybe someone more familiar with FCC filings knows how to track down this info. Or, someone is willing to open the device and take good photos.  Ideally, an ethernet port could be added to the hotspot to eliminate the need for the wireless client bridge.

Update 12/30/2015:  Karma has performed very well.  It's now my sole Internet provider for my home.  Netflix has worked well, consistently streaming at least 720 (which, to be fair, I got with Centurylink DSL also).


  1. Thanks for the detailed write-up. It let me know what to expect when my Karma hotspot arrived, so I wasn't thrown by its quirks. So far it's working as advertised. (fingers crossed)

  2. I also have Centurylink DSL (3mbs). Having used this for about a month now, do you feel it could replace it? I'm desperate for a solution. My tethered PHONE is faster than my home internet most of the time. Thanks!

    1. If you can get a good Sprint cell signal, then certainly yes. Karma has performed great and I've cancelled Centurylink. Netflix streaming is my most demanding usage and it's handled it flawlessly.

  3. Thanks for this post! I've moved out to a rural location and Karma Go is looking like a great option for me...on devices with a browser. Coming from a great cable connection where I had many different types of IOT devices connected, this 3 device thing is cramping my style. I bought a TP-Link that ought to work as a bridge. But I think I'm missing something. Any way you could lend some help? I'd love to set up a Google Hangout or something so you could see what I'm dealing with. I'm willing to pay if you can help me set this up.


    1. Do you have a wireless router (not the TP-Link bridge) that all of your devices, wired and wireless, will connect too? The client bridge just connects the Karma hotspot to the wireless router.

    2. I have an Apple Time Capsule and an Apple Extreme from my old configuration. I intend to bridge the connection from the TP-Link to the Time Capsule and then extend the network to the Extreme, unless that proves to be a problem, in which case I will not extend it further than the Time Capsule.

    3. If I understand correctly, the Time Capsule would connect via ethernet cable from its WAN port to a LAN port on the TP-Link. The Karma Hotspot has IP, so I'd give the TP-Link an IP like and config its DHCP to assign a range like - The Extreme would connect to and extend the Time Capsule. The Time Capsule should use IPs like 192.168.3.*, similar to the TP-Link, just a different subnet. There's lots of ways to do it, but that would be similar to my setup.

  4. I just purchased a Karma with the Neverstop plan & have been testing it to see if the 'unlimited 5Mbps' is legit. For the first couple of days it was properly throttled to just under the 5Mbps. However, for the past day it has now throttled to a very obvious 1.5Mbps, even at the most non-peak demand hours. I don't know if this is Sprint's 'de-prioritization' at work as it seems to have throttled down to 1.5Mbps after around 22Gb, but it's worse than de-prioritizing, it's an obvious throttle regardless of network demand (it's throttling to 1.5Mbps whether it's 7pm or 3am).

    1. That's very interesting; The same thing has happened to me. My speed tests have maxed out at about 1.45M up and down. Ping times don't seem affected. I opened a ticket with Karma last night.

    2. I emailed last night, no response yet. Just tested today & now it's 2.35Mbps. I will be continuing to track this closely, I didn't buy a device advertised & touted 100 different ways as 'truly unlimited service at 5Mbps' to be throttled at 1.5Mbps. In poor reception or unusually heavy traffic areas is one thing, but my reception is excellent & I was throttled even in the least demanding hours of the day.

    3. Yeah, I don't feel this is intentional throttling, but slow speeds are slow speeds, regardless. I haven't gotten a response yet, either. They only have 3 people doing customer support, so slow responses will be an issue.

    4. BTW, what region of the country are you in? (seeing if it's a metro or regional issue)

    5. Average sized city in great plains

    6. Just noticed your previous response - I would call it intentional throttling, whether that is from Karma or Sprint. Bandwidth was very distinctly being capped around 1.43Mbps with no fluctuations even at the most non-peak of hours - at least that is how I would define throttling. Today it has been throttled to a steady 2.35Mbps. Network demand would show continuous fluctuations in bandwidth.

      What is your speed at now?

    7. I just got a response from Karma. Not good at all. It appears they're throttling:

      To make sure that Neverstop continues to work seamlessly for as many people as possible, we have to make some changes to the service. We began running tests to optimize the service, including lowering speeds. Our engineers are working hard to find the right balance of always accessible worry-free internet, at a fair price, so you'll likely see speeds change over the next few days while we try to fine-tune that balance.

      We will continue to get you online so you can do what’s most important to you when on-the-go: things like email, streaming, and browsing. But, we need to reduce the extreme usage cases. If you find that Neverstop doesn’t fit your needs, use our mobile apps to switch to Refuel, or head here for a refund.

      Let me know if you have any additional questions or concerns.


      Erin Ambrose

    8. I just received the same canned response, as well as an email from Karma with the same comments plus others.

      I'm pissed that I'm even discussing compromise after the weasels are already changing the terms within my first week of receiving a product that I committed over $300 into. I would hope that we can at least get our originally promised 5Mbps during non-peak hours & something in the 1.5-3Mbps range if they are going to be throttling us.

    9. I could settle for 3Mbps, but 1.5 is unacceptable. They did this with no warning after being adamant on their site that there were no data limits, I'm not sure I can forgive that.

    10. Isn't there a reason they are called "Karma"? I wonder what they consider "extreme cases." So far in 7 days, I have used 5 GB. That better not be considered extreme.

  5. I'm up to about 2.3Mbps. Given the sudden and drastic throttling, I suspect Sprint threatened them or sent a really big bill. Karma's gonna know the FCC and FTC really well.

  6. I agree 3Mbps would be much more reasonable than 1.5Mbps, I was thinking 1.5Mbps as only a worst case if they choose to throttle during high congestion. Hoping for them to find a way to at least maintain 5Mbps during non-peak hours and something near 3Mbps during peak hours as a compromise. The whole thing pisses me off, as customers we accepted 5Mbps as a reasonable tradeoff for unlimited usage in a time where 10, 20, 40Mbps+ speeds now exist on networks. Karma needs to be careful how they handle this or their reputation will be rightfully trashed.

  7. As you've probably seen, they are now claiming '2-3Mbps'. For the first day, I was getting about 1.91Mbps. Today, at least for the last few hours, I'm getting 1.67Mbps (these are flat capped numbers BTW, not 1.67 one minute & 1.9 the next, flat 1.67Mbps).

    First, will we ever even see this '3' part of the '2-3mbps'? Second, I'm not even getting 2 at this point. This is rapidly slipping into crap.

    1. That's what I'm getting also. Their web site has been updated with "2 - 3 Mbps" and "Occasional Streaming".