Intro to SHAKEN/STIR

What if we had TLS
for phone numbers?
An introduction to SHAKEN/STIR
Kelley Robinson
Account Security Team, Twilio
@kelleyrobinson
© 2019 TWILIO INC. ALL RIGHTS RESERVED.

@kelleyrobinson

54.6B
US SPAM CALLS IN 2019
GREW 108% SINCE 2018
@kelleyrobinson https://www.businesswire.com/news/home/20191213005058/en/Spam-Calls-Grew-108-2019-Anti-Robocall-Bill

What if we had TLS
for phone numbers?
An introduction to SHAKEN/STIR

TABLE OF CONTENTS
1. Telephony "security"
2. SHAKEN/STIR explained
3. Regulation & Limitations
4. What will happen next?

TELEPHONY "SECURITY"

Telephony 30 Years Ago
AMERITECH
AT&T US WEST
NYNEX
Business Customer

Telephony Today
AMERITECH
AT&T
US WEST
NYNEX
U
U
U
U
U
U
U
U
U U
U
U
U
U
U
CustomerBusiness

Acronym Hell
PSTN - Public Switched Telephone Network. Global
interconnected telephony.
VoIP - Voice over IP. Internet-connected telephony.
SIP - Session Initiation Protocol. Standard used to manage
VoIP calling.
PBX - Private Branch eXchange. Private enterprise network.
@kelleyrobinson

☎ Phun Phact
The word "Hello" has only been around since 1827.
Thomas Edison popularized the greeting and urged
people to say "hello" when answering his phone.
Source: What is Ahoy?

THE PROBLEM:
UNWANTED ROBOCALLS

📈 Robocall spam & spoofing
• Automated dialing is cheap
• A lot of access points to the PSTN
• Easy to spoof "From" number
@kelleyrobinson

@kelleyrobinson
Legitimate use cases for masking phone numbers
Doctor calls from personal #
displays office number
Business calls from
contact center
displays toll-free callback

2009 Truth in Caller ID Act
• Spoofing is illegal if there is "intent to defraud, cause
harm or wrongly obtain anything of value"
• Difficult to enforce
@kelleyrobinson

☎ Phun Phact
Alexander Graham Bell campaigned to use
"Ahoy-hoy" as the standard telephone greeting
Source: What is Ahoy?

WHAT IS SHAKEN/STIR?

SHAKEN - Signature-based Handling of
Asserted information using toKENs
STIR - Secure Telephony Identity Revisited
@kelleyrobinson

SHAKEN - Signature-based Handling of
Asserted information using toKENs
STIR - Secure Telephony Identity Revisited
LEMON-TWIST - LEveraging MOdels for
Enterprise dialiNg - Tnauth list With an
enterprise Identity Secured Token
@kelleyrobinson
😱

Calls would have their caller ID
“signed” as legitimate by originating
carriers and validated by other carriers
before reaching consumers.
SHAKEN/STIR defined | FCC.gov

Borrowing from other
web authentication
• Public Key Infrastructure (PKI)
• Certificates
• JSON Web Tokens (JWT)
• Similar to email's DKIM/DMARC
@kelleyrobinson

📲Caller
Originating
Service Provider
Other
Service Providers
Terminating
Service Provider
🔒Signing Service
✅Verification Service
📳Callee
🏛Certificate
Authorities
SHAKEN/STIR
signing and verification

Certificate authorities
• Approved by the STI-GA (Secure Telephone Identity
Governance Authority)
• Managed by ATIS (Alliance for Telecommunications
Industry Solutions)
@kelleyrobinson

SIP IDENTITY HEADER

INVITE sip:14151234567@twilio.com:5060 SIP/2.0
Via: SIP/2.0/UDP example.com:5060
From: "Alice" sip:14155555555@5.6.7.8:5060;tag=123456789
To: "Bob" sip:14155550101@1.2.3.4:5060
Call-ID: 1-12345@5.6.7.8
CSeq: 1 INVITE
Max-Forwards: 70
@kelleyrobinson

To: "Bob" sip:14155550101@1.2.3.4:5060
Call-ID: 1-12345@5.6.7.8
CSeq: 1 INVITE
Max-Forwards: 70
Identity: eyJhbGciOiAiRVMyNTYiLCJwcHQiOiAic2hha2VuIiwidHlwIjogInBhc
3Nwb3J0IiwieDV1IjogImh0dHBzOi8vY2VydGlmaWNhdGVzLnR3aWxpby5jb20vdGVz
dGNlcnQuY3J0In0=.eyJhdHRlc3QiOiAiQSIsImRlc3QiOiB7InRuIjogWyIxNDE1NT
U1MDEwMSJdfSwiaWF0IjogMTU0ODg1OTk4Miwib3JpZyI6IHsidG4iOiAiMTQxNTU1N
TU1NTUifSwib3JpZ2lkIjogImExN2FmY2I1LTI5NjUtNDgzNy1hOWU2LTBlNmIzZjUy
MTI1NCJ9.S_vqkgCk88ee9rtk89P6a6ru0ncDfSrdb1GyK_mJj-10hsLW-
dMF7eCjDYARLR7EZSZwiu0fd4H_QD_9Z5U2bg;info=https://
certificates.twilio.com/testcert.crt;alg=ES256;ppt=shaken
@kelleyrobinson

MTI1NCJ9.
To: "Bob" sip:14155550101@1.2.3.4:5060
Call-ID: 1-12345@5.6.7.8
CSeq: 1 INVITE
Max-Forwards: 70
{
"attest": "A", " Attestation Level
"dest": {"tn":["14155550101"]}, " Destination Phone #
"iat": 1548859982,
"orig": {"tn":"14155550171"}, " Origination Phone #
"origid": "a17afcb5-2965-4837-a9e6-0e6b3f521254"
} " Orig. Customer ID
@kelleyrobinson

Attestation Levels
I know this
customer
and they
can use
the calling
number
A
✅
I know the
customer
but I don't
know the
calling
number
B
🤷
I don't
know the
customer
but I know
where this
call came
from
C
🤔

]
To: "Bob" sip:14155550101@1.2.3.4:5060
Call-ID: 1-12345@5.6.7.8
CSeq: 1 INVITE
Max-Forwards: 70
- cryptographic signature
- certificate URL
- algorithm
- passport type
@kelleyrobinson

ENFORCEMENT

TRACED Act
• Signed into law 2019-12-30
• Allows $10,000 fine for offenders
• Requires telecom companies to implement call
authentication in the next 18 months
(Telephone Robocall Abuse Criminal Enforcement Deterrence)
@kelleyrobinson

• VOIP: Implement STIR/SHAKEN
• Non VOIP: "Reasonable measures to implement an effective call authentication framework"
TRACED Act
Authentication Requirements
@kelleyrobinson

☎ Phun Phact
Not every 555 number is fake. Only 555-0100
through 555-0199 are specifically reserved for
fictional use.
Source: TV Tropes

LIMITATIONS OF SHAKEN/STIR

"The phone network is an
ungodly beast."
- Randy Weinberger, curmudgeon, telecom expert

Part of the ungodly beast:
Time-division multiplexing (TDM)
• Physical switches used by the PSTN
• TRACED Act explicitly acknowledges TDM as a potential
burden to SHAKEN/STIR rollout
@kelleyrobinson

The long tail of service providers
• 4000 service providers in the US alone
• Requires significant investment to comply
@kelleyrobinson

And what about...
• Disconnected and reassigned phone numbers?
• International numbers and calls?
• Text messages?
@kelleyrobinson

☎ Phun Phact
Phone calls from The New York Times showed up
as (111) 111-1111 until 2011. They now use a (212)
number you can actually call back.
Source: NYTimes

WHAT HAPPENS NEXT?

Ongoing legislation
• FCC gave telcos authority to block unwanted robocalls
without explicit subscriber permission
• TRACED Act enforcement will begin at the end of 2020
@kelleyrobinson

Motivations driving implementation
• Consumer pressure to decrease robocalls
• Business pressure to increase answered calls
@kelleyrobinson

APPLICATION SECURITY
PROTECTIONS TODAY

Mitigate damage from unwanted
inbound calls
• Protect your numbers from web scraping bots
• Don't assign sequential phone numbers to your employees
• Challenge suspicious callers with a voice CAPTCHA
• Use actual authentication in your call centers
• Install the FCC blacklist DB on your PBX
@kelleyrobinson

Apps for spam detection
• Nomorobo, Robokiller, Call App, etc.
• AT&T partnership with Hiya
@kelleyrobinson

Telephony is complicated.

SHAKEN/STIR won't fix everything.

SHAKEN/STIR won't fix everything.
But it will help rebuilt trust in telephony.

Intro to SHAKEN/STIR

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Intro to SHAKEN/STIR

Similar to Intro to SHAKEN/STIR (20)

More from Kelley Robinson

More from Kelley Robinson (20)

Recently uploaded

Recently uploaded (20)

Intro to SHAKEN/STIR