The TTL (time-to-live) field of outgoing packets is one of the ways to detect when someone has another device behind the connected device (phone). The traffic from this device has an extra hop to go through, so TTL of every TCP packet will be decreased by one, compared to packets originating from the phone, when it reaches the ISP.
This, together with the fact that default TTL different OSes set for packets they send is well known, and virtually no user ever changes these defaults, means that if the ISP detects different packets with TTL for example 64 and 63 coming from you, you very likely have something tethered to your phone.
There are tools like https://github.com/p0f/p0f (it does much more, than just this, though) to make exploiting this technique easy. I remember we used p0f to detect unauthorized connection sharing in a certain university dorm network, and caught quite a few people.
