STIR/SHAKEN
STIR/SHAKEN, or SHAKEN/STIR, is a suite of protocols and procedures intended to combat caller ID spoofing on public telephone networks. Caller ID spoofing is used by robocallers to mask their identity or to make it appear the call is from a legitimate source, often a nearby phone number with the same area code and exchange, or from well-known agencies like the Internal Revenue Service or Ontario Provincial Police. This sort of spoofing is common for calls originating from voice-over-IP (VoIP) systems, which can be located anywhere in the world.
STIR, short for Secure Telephony Identity Revisited, has been defined as a series of RFC standards documents by a Working Group of the Internet Engineering Task Force. It works by adding a digital certificate to the Session Initiation Protocol information used to initiate and route calls in VoIP systems. The first public connection on the system, typically the VoIP service provider, examines the caller ID and compares it to a known list of IDs they provide to that customer. The provider then attaches an encrypted certificate to the SIP header with the service provider's identity and a trust value. VoIP software on the receiving end can check the authenticity of the message by decrypting STIR using the provider's public key.
For non-VoIP systems, like cell phones and landlines, call routing information is carried by SS7. In these cases, the SIP header is not directly useful as it cannot be sent to users unless they are on a VoIP connection. This is the purpose of the SHAKEN system, short for Signature-based Handling of Asserted information using toKENs. SHAKEN is a suite of guidelines for public switched telephone networks that indicate how to deal with calls that have incorrect or missing STIR information. This may be in the form of additional information in the CNAM information of caller ID indicating the number has been spoofed, but the details have not been finalized.
As of 2019, SHAKEN/STIR is a major ongoing effort in the United States, which is suffering an "epidemic" of robocalls.[1] Both the Canadian Radio-television and Telecommunications Commission and the Federal Communications Commission are requiring use of the protocols by June 30, 2021.[2][3]
The name was inspired by Ian Fleming's character James Bond, who famously prefers his martinis "shaken, not stirred." STIR having existed already, the creators of SHAKEN "tortured the English language until [they] came up with an acronym.”[4]
Background
Caller ID
The idea of sending the phone number to the customer for identification purposes dates to 1968, when Ted Paraskevakos introduced the idea of modem-like devices that would send and receive the information over normal voice lines. It sent a small burst of information using the 1200 bit/s Bell 202 modulation in the time between the first and second rings. The concept was developed through the 1970s and had its first public trial with Bell Atlantic in 1984 and a follow-up in 1987.[5]
The system was widespread in the United States and Canada by the mid-1990s, and spread to most other countries by the end of the decade. It soon became an indispensable system allowing customers to screen calls from telemarketers. Marketers often provided alternative numbers in the caller ID so returned calls went to an inbound call center instead of the telemarketing firm where the call originated. Unscrupulous users began using this concept, which became known as "spoofing", to hide the true origins of the call to prevent callbacks.[5] This became so common that the Federal Trade Commission (FTC) was given the mandate to sue companies that provided false caller ID information.[6]
VoIP and SIP
The introduction of voice-over-IP (VoIP) systems allowed users to place calls to other users directly through the internet without ever using the public telephone network. Initially, these systems were proprietary, but over time a series of proposals created the Session Initiation Protocol (SIP), a messaging protocol that contained the information needed to set up a VoIP call between two endpoints. SIP borrowed from existing protocols, including the use of simple headers like "From:" in a format similar to the SMTP email system. SIP requests are sent to proxy servers that provide access information for end-users to the caller, which is then used to provide a direct connection between the two endpoints.[7]
As the cost of an internet line with enough bandwidth to host a given number of simultaneous calls is much less than leasing that number of telephone lines, there was a strong economic benefit for companies to switch to VoIP as well. From the late 1990s a number of new PBX-like systems emerged that use SIP and VoIP to route calls wherever possible, only exiting to the plain old telephone service (POTS) system when required to call a non-VoIP user. A company with several of these systems in separate offices could forward the call to the one closest to the number being dialed, thereby reducing or eliminating long distance charges.[7]
As these systems became popular, new telephony providers emerged that offered centralized SIP routing, allowing both companies and end-users to use VoIP systems to call the service and then route back out to the POTS. Many of these also allowed incoming calls from conventional phone equipment, providing local or toll-free numbers for the inbound calls. This allowed users to place calls to and from anywhere with local access for a greatly reduced cost by avoiding the telephone company's own long-distance service.[7]
Today, a call may travel for most of its "distance" as a SIP-initiated VoIP call, only exiting to the SS7 POTS network at the final stages, if ever. As this sort of call became common, even the largest service providers, like AT&T, began offering SIP/VoIP to their customers. In this case, the caller ID information is taken from the SIP headers, not the provider, and that information is often editable by the end-user.[7]
ID spoofing
The opening of the telephone network to VoIP systems resulted in a dramatic lowering in cost for the support of multiple simultaneous phone calls. This was as much of a boon to robocallers as it was to legitimate users.[8] By purchasing commodity personal computers and running suitable software, a robocaller can make hundreds of simultaneous calls for the cost of a single internet connection.[9]
In the early days of such robocalling, the caller would often attempt to hide their identity by entering false caller ID information into the VoIP software. This had the added advantage to the robocaller of making it impossible for the called user to call back to complain, or even report the call to their provider or government agency like the Federal Trade Commission. Users quickly learned to stop taking calls from obviously faked IDs.[9]
In response, robocallers began using less obviously incorrect IDs, but these had a lower chance of being picked up - the chance to ignore a call from an unknown user was precisely why many used caller ID in the first place. Robocallers changed their tactics again, first by using phone numbers that were similar to the user's to make it appear local,[10] and later by using well-known numbers, often government agencies, as part of scams.[9] Using such tactics, robocalls become an increasing problem, rising another 18% year-over-year in 2019 with 26 billion calls between January and October,[11] with an estimated 5.7 billion robocalls in the US placed in October 2019 alone.[12]
STIR
The STIR system aims to add information to the SIP headers that allow the endpoints along the system to positively identify the origin of the data. This does not directly prevent the ability for a robocaller to spoof a caller ID, but it does allow upstream points to decide whether or not to trust that ID.[9]
For instance, a business system using a VoIP-based PBX might connect to the wider telephony network through a SIP service provider. When the SIP packet is received by these providers, they will add additional information to the header, indicating whether they are sure the call originates with a known customer and whether or not the caller ID they provided is one that is known to their system. In this example, the internal phone number may not be known by the provider, but they may agree that all numbers starting with 555-555 do indeed belong to that customer, and that the provided ID, 555-555-1234, is therefore valid. Likewise, a customer might use a separate toll-free number for return calls and thus have a legitimate reason to use a totally different caller ID number, perhaps 800-123-4567.[9]
There are three levels of verification, or "attestation",[8] possible in the STIR protocol. The highest level, "Full Attestation", indicated in the STIR header with an "A", indicates that the provider recognizes the entire phone number as being registered with the originating subscriber. This would be the case for a landline or mobile phone where the customer connects directly to the VoIP network and the phone number can be verified as being a particular customer, or in the case of a company that has registered a particular callback number. "Partial Attestation", or "B", indicates that the call originated with a known customer but the entire number cannot be verified, which would be the case with a call originating from a client PBX where the extension number is not registered with the provider. "Gateway Attestation", "C", indicates the call can only be verified as coming from a known gateway, for instance, a connection to another service provider.[9]
STIR systems produce a JSON Web Token containing, among other things, the originating phone number as provided by the original SIP, the number being called, and the level of attestation being given by the provider. This information is then encrypted with the provider's private key, encoded using Base64, and appended to the original SIP header in a new Identity field. The new information now travels along with the original SIP request until it reaches its destination, another VoIP system or provider that will route the call to an external telephone.[9]
On reception, the STIR information is decoded using the provider's public key. If this fails, the STIR information can be considered invalid. If it properly decodes, it can extract the information and examine the attestation to decide whether to allow the call to continue. In the case of a VoIP endpoint on a smart phone, for instance, the display might show that the call is of an unknown origin ("C") or that it failed verification entirely.[9]
Anyone on the VoIP side of the call can add a STIR header claiming "A" attestation even to known-bad calls. This may start in a robocaller's software, for instance. In this case, upstream users would not have the keys necessary to decode the STIR header and the authentication would fail. The software might also encode a header to pose as a trusted source, but in this case, the known public key for trusted source would fail to decode the header and the authentication would fail.[9]
The STIR system relies on a chain of trust. For this to work, the system requires certification services that are well known so end user software knows whom to query to retrieve the public key, and are trusted to provide valid information and not provide keys to known-bad players. This network will be based on the existing Certificate Authority system in use today.[9]
The robocaller might find a VoIP provider willing to sign their calls even though they are known-bad, in the same fashion that there are internet service providers that provide service to known email spam farms . To combat this, the STIR header contains both the original phone number when it enters the provider as well as the caller ID being claimed. If these do not match, the STIR authentication fails. For such a certificate to get through, the provider would also have to be willing to fake the number on reception, for instance, by copying whatever caller ID number the robocaller provided. In this case the STIR will validate correctly, and stopping such calls will have to be done at a higher level, through key revocation or similar.[9]
The STIR system is defined[13] as a series of Request for Comments documents by the IETF:
- RFC 8224 - Authenticated Identity Management in the Session Initiation Protocol (SIP)
- RFC 8225 - PASSporT: Personal Assertion Token
- RFC 8226 - Secure Telephone Identity Credentials: Certificates
- RFC 8588 - Personal Assertion Token (PaSSporT) Extension for Signature-based Handling of Asserted information using toKENs (SHAKEN)
SHAKEN
STIR is based on SIP and is designed to work with calls being routed through a VoIP network. It does not work within the "original" telephony network, which relies on standards such as SS7 to route calls.[6] VoIP calls enter the network at the "edge" through a variety of VoIP-to-telephony gateways, and they can receive STIR information at that point or anywhere earlier during the VoIP section of the call. But once inside the telephony network there is no standard for forwarding that STIR information to the end user.[8]
Additionally, STIR does not define how authentication failures should be handled within the network. In a system where most calls will not have STIR information, at least during the period where the system is being set up, failed STIR checks cannot simply block the call.[8] Some sort of information has to be sent to the user, but the precise nature of that information is not part of STIR itself.
To address these last-mile problems, the Alliance for Telecommunications Industry Solutions (ATIS) began work on an associated system known as SHAKEN. SHAKEN includes systems to pass STIR information through the SS7 network, a standard for the data to be added to SIP for calls originating in the SS7 network, how to send STIR information to POTS endpoints, and a set of guidelines on how to handle various STIR failures.[8]
In the common case of a robocaller calling an end user on a landline or mobile phone, it is the last step of the connection that does not directly handle STIR. For instance, if a call originates in a VoIP system and was tagged with a STIR header that successfully authenticated, the caller ID provided to the user might be appended with "(verified)", whereas one that fails might say "(spoofed)" or "(no verification)".[14]
As of 2019, the exact nature of the messages sent to end users is still being discussed.[8] The Secure Telephone Identity Governance Authority, or STI-GA, is organizing these discussions as well as calling for certificate authorities who will handle the majority of the key protocol.[15] Additionally, the Secure Telephone Identity Policy Administrator, or STI-PA, has the job of actually carrying out policy decisions like key revocation. On May 30, 2019, the GA announced iconectiv had won the role of PA.[8]
Implementation
STIR/SHAKEN was designed to allow expansion to carriers outside the US.[8]
On December 9, 2019, FCC commissioner Ajit Pai, and Ian Scott, chairman of the Canadian Radio-television and Telecommunications Commission (CRTC), conducted "the first official cross-border call" using the protocol.[16] The same day, the CRTC announced that it "expects" all phone providers to adopt STIR/SHAKEN no later than September 30, 2020.[17][18]
Enforcement
In December 2019, the TRACED Act (Telephone Robocall Abuse Criminal Enforcement and Deterrence Act) was signed into law, which compels the FCC to mandate implementation of the protocols by all U.S. phone companies.[19] The FCC approved the mandate on March 31, 2020, under which large carriers must implement the systems by June 30, 2021, and smaller and rural carriers by June 30, 2022.[20][2]
References
Citations
- "An end may be in sight for our robocall epidemic". Washington Post. July 5, 2019.
- Bonifacic, Igor (March 31, 2020). "FCC will require phone carriers to authenticate calls by June 2021". Engadget. Retrieved April 1, 2020.
- "Compliance and Enforcement and Telecom Decision CRTC 2019-402-2". Canadian Radio-television and Telecommunications Commission (CRTC). Retrieved September 24, 2020.
- "Column: Phone industry turns to James Bond for answer to robocall villainy". Los Angeles Times. September 1, 2017. Retrieved December 17, 2019.
- Ramirez, Anthony (April 4, 1992). "Caller ID - Consumer's Friend or Foe?". NY Times. Retrieved February 3, 2015.
- "47 CFR 64.1601" (PDF).
- SIP.
- FAQ.
- "Understanding STIR/SHAKEN". TransNexus. Retrieved January 2, 2020.
- Nova, Annie. "You think it's your friend calling, but it's actually this growing phone scam". CNBC.
- Singh, Manish (December 3, 2019). "Spam calls grew 18% in 2019". TechChrunch.
- Romm, Tony (November 19, 2019). "Suspicious robocalls pitching health insurance surged in October. Now, the feds are scrambling to act". Washington Post.
- "STIR into Action". IETF.
- Cert.
- Wolfe, Marcella (September 7, 2019). "STI-GA Call for Certificate Authorities". STI-GA.
- Eggerton, John. "Pai Dials Up Cross-Border SHAKEN/STIR First". Broadcasting & Cable. Retrieved December 10, 2019.
- "CRTC calls on telecoms to adopt new tool to tackle 'spoofed' phone scams". The Globe and Mail. Retrieved December 10, 2019.
- "CISC Network Working Group – Status of implementation by telecommunications service providers of authentication/verification measures for caller identification". crtc.gc.ca. CRTC. December 9, 2019. Retrieved December 10, 2019.
- Condon, Stephanie. "Trump signs the TRACED Act, the first federal anti-robocall law". ZDNet. Retrieved January 2, 2020.
- "Mandating STIR/SHAKEN to Combat Spoofed Robocalls". FCC. Retrieved March 31, 2020.
- "T-Mobile and Sprint can now verify calls across their networks". Engadget. Retrieved June 13, 2020.
- Brightlink Takes on Robocalling with STIR/SHAKEN Solution, retrieved September 25, 2020
Bibliography
- "Frequently Asked Questions" (PDF). ATIS.
- "Certificate management for STIR/SHAKEN". TransNexus.
- "How SIP Works in VoIP". SIP.US. December 1, 2013.
- "STIR/SHAKEN Information Hub". TransNexus.