Securing existing legacy device traffic is a necessity when the assumptions used in device security design no longer hold. In this paper we propose a layer 2 tunnel over TLS for legacy device traffic, which is lightweight, generic, and extensible. We then look at one of the threats that the tunnel does not initially address – namely inference attacks on the encrypted tunnel traffic. Inferring device behavior can be an attack by itself as well as a first step for other attacks. Using a legacy commercial, multi-node, embedded system that is aimed at life safety, we show that it is possible to infer legacy device behavior even if the device traffic is encrypted, as is the case with the tunnel. This example shows that simply wrapping legacy traffic with a secure communication protocol does not prevent inference attacks. To illustrate how these attacks can be mitigated, we then introduce padding and dummy traffic on the TLS tunnel, which, as intended, lowers the ability of an eavesdropper to infer legacy device behavior. This is true even if the eavesdropper retrains its model with padding and dummy traffic.