That ****ed Telephone!

by in Security

It’s more than a bit ironic that in an era when our phones are glued to our hands, we use them less for actual calls than other purposes. At the same time, our privacy is invaded by a deluge of spam calls, often perpetrated by vicious scammers spoofing Caller ID information.

Telephone1.pngAs phone geeks know, solving the bogus call problem is non-trivial. When the Bell SS7 telephone switching protocol was developed in 1975, VoIP and the free long-distance calling it enables were not even pipedreams. Caller ID (aka CLID or CND, “Caller Name Display”) was not part of the original SS7 specification. Introduced in 1987, it allows the sending switch to send a number different from the actual line in use. This was intended for corporate switchboards, so that a call from some random line deep in E Corp would show E Corp’s main phone number, thus making it actually useful if the callee returned the call based on the displayed number (especially since that random outgoing line often won’t even ring if called).

Of course, nowadays scammers using VoIP exploit this feature to make their spam/scam calls look like they’re coming from more legitimate-looking numbers. The current approach is to fake the call with the same area code and exchange. Thus if your number is 555-867-5309, the spoofed CLID will show 555-867-xxxx, with the xxxx chosen randomly. This makes the call look local and semi-familiar, increasing the odds that you will pick it up—“Maybe that’s the new neighbor calling?”

But how do such bogus callers manage to display a name as well as a number? CLID only transmits the number from the calling switch. The local switch then does a “database dip” (in SS7 jargon) and checks who owns that number. This is counterintuitive, since it means that each switch must have access to a master database of numbers. With multiple carriers (LECs and CLECs and ILECs), that database access problem becomes even more complex.

This complexity means that sometimes those lookups fail, due to timeouts or other problems. This is why even legitimate callers sometimes show as UNKNOWN or just a state or town: after a failed lookup, the switch can say “OK, I didn’t get a name, but what state is that area code from?” or, for local area codes, “…what town is that exchange nominally located in?” and fill that in from a local database. (CLID can also get stripped if it passes through an older switch that does not support the protocol, but this is now rare, at least for domestic calls.)

Because of this legacy design, it’s essentially impossible to fix the spoofed CLID problem directly without a major protocol redesign. And that’s not likely: SS7 is used worldwide; such a change would cost a fortune. Steps like the U.S. Do Not Call list have proven ineffective, since scammers are hardly worried about violating U.S. laws (especially if they reside overseas).

In 2012, the U.S. Federal Communications Commission held the “Robocall Challenge”, a contest to find ways to combat these bogus calls. Two winners shared the $50,000 prize; their solutions focused on blocking bogus calls based on whitelists/blacklists. Alas, for the carriers themselves, such a solution is not currently practical. For one, current regulations require them to deliver calls: they cannot arbitrarily decide not to let a call through. Second, blocking calls is in some ways in direct conflict with their business model, which is, after all, based on connecting calls, and includes complex rules regarding sharing costs as those calls flow across multiple carriers.

The result is third-party solutions like NoMoRobo and a host of smartphone apps that implement such blocks. These work quite well, where applicable. Alas, POTS—Plain Old Telephone Service—(copper) lines do not support them, so CLID spoofing continues unabated.

It’s worth noting that CLID spoofing hurts both the callee and the alleged caller. More than a few folks have gotten irate calls from someone demanding to know “Why do you keep calling me?”, when they have done nothing of the sort.

While the forces of good battle bogus calls, the forces of evil continue evolving. A recent advance is the so-called “ringless voicemail”, which allows leaving voicemail without actually calling people. This is mostly used by debt-collection agencies, who wish to send threatening messages but are under legal constraints as to when and where they can do so. Their contention has been that such “ringless” messages do not constitute phone calls, and are thus not subject to the same regulations.

A recent Michigan federal court decision was the first ruling on use of this technology, and squarely sided with consumers, stating that to consider the technique as anything other than a phone call would be absurd.

So perhaps there is some hope. Meanwhile, folks increasingly find the simple approach to be best: if you don’t recognize the CLID (or there is none), don’t answer the call!


Data security and encryption