RoboHope to Rid us of Phone Scammers?

by in Security

In a September post (“That ****ed Telephone!”) I bemoaned the problem of spoofed CallerID information, heavily used by scammers and robocallers to fool us into answering their calls.

RoboHope to Rid us of Phone Scammers.jpgSome good news: the FCC is pushing carriers to adopt a technology with the tortured moniker “SHAKEN/STIR”, which stands for “Secure Handling of Asserted information using toKENs/Secure Telephony Identity Revisited”. If implemented, S/S (as referred to henceforth) will essentially eliminate forged Caller ID.

The idea is to use digital certificates in a manner similar to how we validate that websites are not spoofed. These certificates are based on a “chain of trust”. A website owner asks a trusted Certificate Authority (CA) to issue a server certificate, which includes the website name. The certificate is cryptographically signed, using public-key encryption, so it cannot be spoofed. And because the CA is trusted, we transitively trust the server certificate.

When your browser or other client program connects to the site, a “handshake” occurs: the two sides exchange information, including that server certificate, and the client side verifies that the certificate is legitimate based on the root certificate.

Similarly, with S/S, the originating phone provider—Verizon or Bell Canada or whoever—will use a certificate to provide secure attestation as to the call’s legitimacy. That attestation comes in three different levels:

  • Full: The provider has full confidence in the provenance of the call, including Caller ID number: for example, your home phone, attested to by Verizon or whoever your provider is.
  • Partial: The provider has authenticated the call’s origin, but not the Caller ID information: for example, an office PBX that is reporting the main office number, rather than the number of the actual line in use.
  • Gateway: The provider has received authentication from another network, but cannot verify the source: for example, a call received over an international gateway.

Attestation will allow providers to automatically reject clearly spoofed calls—for example, if Caller ID reports a local phone number, but attestation level is Gateway. And calls with no attestation would presumably, once S/S was fully implemented, never be delivered.

The good news is that this need not affect home telephone hardware: Caller ID delivery, for example, would not change. It also would not force telephone providers to risk dropping legitimate calls, which is vital, because providers both make money from delivering calls and could risk legal problems if a technology drops legitimate calls. For example, tools like NoMoRobo, TrueCaller, RoboKiller, and Hiya (among many others) use crowd-sourced databases of numbers reported as bogus by users. If a scammer were to spoof your aged aunt’s home telephone number, enough users report it, and you use that blocking tool, your aunt might find herself unable to contact you. The current tools take this into account and allow you to at least see the number that was blocked, but if the provider was doing the blocking, that would not be possible.

Note that S/S does not mean scam calls would stop, just that scammers would appear as their correct domestic phone numbers (thus making Do-Not-Call violation enforcement suddenly realistic), or at least as international (“Gateway attestation”) numbers, making them easy to ignore.

As always, it’s important to consider failure modes. If a provider is believed to be compromised, should the other providers stop delivering any calls placed through that method? While digital certificates are a well-established and robust technology, problems do occur. A long-departed engineer here left his mark in the form of “Hansen’s Law”, which was his response to any customer connectivity issue: “It’s a certificate problem!” And he was usually right. The good news with S/S is that the certificates are managed by providers, not end-users—if every homeowner had to somehow acquire and install a certificate for each phone number, this initiative would be dead before it started.

Whether SHAKEN/STIR will spread is unclear. A recent eWeek article reports that AT&T and T-Mobile are working on implementation, although Verizon and Sprint have not responded. Full implementation of any such solution will likely take years, but it’s a positive step!


Data security and encryption