MarketSTIR/SHAKEN
Company Profile

STIR/SHAKEN

STIR/SHAKEN, or SHAKEN/STIR, is a suite of protocols and procedures intended to combat caller ID spoofing on public telephone networks. Caller ID spoofing is used by robocallers to mask their identity or to make it appear the call is from a legitimate source, often a nearby phone number with the same area code and exchange, or from well-known agencies like the Internal Revenue Service or Ontario Provincial Police. This sort of spoofing is common for calls originating from voice-over-IP (VoIP) systems, which can be located anywhere in the world.

Background
Caller ID The idea of sending the phone number to the customer for identification purposes dates to 1968, when Ted Paraskevakos introduced the idea of modem-like devices that would send and receive the information over normal voice lines. It sent a small burst of information using the 1200 bit/s Bell 202 modulation in the time between the first and second rings. The concept was developed through the 1970s and had its first public trial with Bell Atlantic in 1984 and a follow-up in 1987. The system was widespread in the United States and Canada by the mid-1990s, and spread to most other countries by the end of the decade. It soon became an indispensable system allowing customers to screen calls from telemarketers. Marketers often provided alternative numbers in the caller ID so returned calls went to an inbound call center instead of the telemarketing firm where the call originated. Unscrupulous users began using this concept, which became known as "spoofing", to hide the true origins of the call to prevent callbacks. VoIP and SIP The introduction of voice-over-IP (VoIP) systems allowed users to place calls to other users directly through the internet without ever using the public telephone network. Initially, these systems were proprietary, but over time a series of proposals created the Session Initiation Protocol (SIP), a messaging protocol that contained the information needed to set up a VoIP call between two endpoints. SIP borrowed from existing protocols, including the use of simple headers like "From:" in a format similar to the SMTP email system. SIP requests are sent to proxy servers that provide access information for end-users to the caller, which is then used to provide a direct connection between the two endpoints. As the cost of an Internet line with enough bandwidth to host a given number of simultaneous calls is much less than leasing that number of telephone lines, there was a strong economic benefit for companies to switch to VoIP as well. From the late 1990s a number of new PBX-like systems emerged that use SIP and VoIP to route calls wherever possible, only exiting to the public switched telephone network (PSTN) system when required to call a non-VoIP user. A company with several of these systems in separate offices could forward the call to the one closest to the number being dialed, thereby reducing or eliminating long distance charges. As these systems became popular, new telephony providers emerged that offered centralized SIP routing, allowing both companies and end-users to use VoIP systems to call the service and then route back out to the PSTN. Many of these also allowed incoming calls from conventional phone equipment, providing local or toll-free numbers for the inbound calls. This allowed users to place calls to and from anywhere with local access for a greatly reduced cost by avoiding the telephone company's own long-distance service. Today, a call may travel for most of its "distance" as a SIP-initiated VoIP call, only exiting to the SS7 PSTN network at the final stages, if ever. As this sort of call became common, even the largest service providers, like AT&T, began offering SIP/VoIP to their customers. In this case, the caller ID information is taken from the SIP headers, not the provider, and that information is often editable by the end-user. ID spoofing The opening of the telephone network to VoIP systems resulted in a dramatic lowering in cost for the support of multiple simultaneous phone calls. This was as much of a boon to robocallers as it was to legitimate users. By purchasing commodity personal computers and running suitable software, a robocaller can make hundreds of simultaneous calls for the cost of a single Internet connection. In the early days of such robocalling, the caller would often attempt to hide their identity by entering false caller ID information into the VoIP software. This had the added advantage to the robocaller of making it impossible for the called user to call back to complain, or even report the call to their provider or government agency like the Federal Trade Commission. Users quickly learned to stop taking calls from obviously faked IDs. and later by using well-known numbers, often government agencies, as part of scams. with an estimated 5.7 billion robocalls in the US placed in October 2019 alone. Estimates for 2020 are 46 billion robocalls in the US alone. ==STIR==
STIR
The STIR system aims to add information to the SIP headers that allow the endpoints along the system to positively identify the origin of the data. This does not directly prevent the ability for a robocaller to spoof a caller ID, but it does allow upstream points to decide whether or not to trust that ID. as a series of Request for Comments documents by the IETF: • – Authenticated Identity Management in the Session Initiation Protocol (SIP) • – PASSporT: Personal Assertion Token • – Secure Telephone Identity Credentials: Certificates • – Personal Assertion Token (PaSSporT) Extension for Signature-based Handling of Asserted information using toKENs (SHAKEN) ==SHAKEN==
SHAKEN
STIR is based on SIP and is designed to work with calls being routed through a VoIP network. It does not work within the "original" telephony network, which relies on standards such as SS7 to route calls. Together, STIR/SHAKEN offers a practical mechanism to provide verified information about the calling party as well as the origin of the call—what is known as "attestation"—for the first time in the network. Giving service providers the tools needed to sign and verify calling numbers makes it possible for businesses and consumers to know, before answering, that the calls they receive are from legitimate parties. In the common case of a robocaller calling an end user on a landline or mobile phone, it is the last step of the connection that does not directly handle STIR. For instance, if a call originates in a VoIP system and was tagged with a STIR header that successfully authenticated, the caller ID provided to the user might be appended with "(verified)", whereas one that fails might say "(spoofed)" or "(no verification)". , the exact nature of the messages sent to end users is still being discussed. The Secure Telephone Identity Governance Authority, or STI-GA, is organizing these discussions as well as calling for certificate authorities who will handle the majority of the key protocol. Additionally, the Secure Telephone Identity Policy Administrator, or STI-PA, has the job of actually carrying out policy decisions like key revocation. On May 30, 2019, the GA announced iconectiv had won the role of PA. ==Implementation==
Implementation
STIR/SHAKEN was designed to allow expansion to carriers outside the United States. On December 9, 2019, FCC commissioner Ajit Pai and CRTC chairman Ian Scott conducted "the first official cross-border call" using the protocol. The same day, the CRTC announced that it "expects" all phone providers to adopt STIR/SHAKEN no later than September 30, 2020. This was later extended to June 30, 2021 at the request of Rogers Communications Canada Inc. The implementation date was again pushed back to November 30, 2021, as the CRTC announced that no TSP will be exempted from the requirement. ==Enforcement==
Enforcement
Canadian enforcement In January 2018, the CRTC issued Compliance and Enforcement and Telecom Decision 2018-32, which states that the CRTC expects Canadian Telecommunications Service Providers to implement STIR/SHAKEN by 31 March 2019, establish a Canadian administrator, and issue progress reports. In December 2019, the CRTC issued decision 2019-402, which extended the deadline to 30 September 2020. At the same time, the CRTC issued CRTC 2019-403, which approved the establishment of the Canadian Secure Token Governance Authority (CSTGA) as Governance Authority for STIR/SHAKEN. In September 2020, the CRTC issued decision 2019-402-2, which extended the deadline to 30 June 2021. In July 2021, the CRTC issued decision 2021-123, further pushing back the implementation deadline to 30 November 2021, while also making it clear that no carrier in Canada would be exempt from the implementation date, in contrast to FCC's decision to grant exemptions to smaller and rural operators. The FCC approved the mandate on March 31, 2020, under which large carriers must implement the systems by June 30, 2021, and smaller and rural carriers by June 30, 2023. In December 2021, the FCC shortened the deadline for many small carriers to June 30, 2022. ==Testing==
Testing
Interoperability working: • T-Mobile – Sprint ==Production==
Production
• AT&T – Comcast ==Limitations of STIR/SHAKEN==
Limitations of STIR/SHAKEN
Public research highlights several limitations of STIR/SHAKEN. • Although STIR/SHAKEN is frequently described as a "caller ID authentication technology", it does not authenticate any caller ID per se. Instead, it authenticates the originating carrier, but that solves a different problem. This causes security failures where the receiver accepts a digitally signed call as genuine under STIR/SHAKEN, but the caller ID is illegitimately spoofed. • It critically relies on a set of trusted certificate authorities (CAs) to manage digital certificates. In the USA, several telecom companies were appointed by the FCC as the CAs. They serve as the root of the trust. All other telcos, must not only trust these CAs but also pay them for compliance with STIR/SHAKEN, typically based on a percentage of their annual revenue. The reliance on trusted third parties severely limits STIR/SHAKEN to work across borders. • It requires transmitting a digital signature along with the chain of certificates in every outgoing call, which typically involves kilobytes of digital data. However, non-IP networks (SS7) are not designed to support this amount of data transmission. Consequently, STIR/SHAKEN is mainly limited to IP networks. In April 2023, Ofcom conducted a public consultation on whether the UK should adopt STIR/SHAKEN. On 1 February 2024, Ofcom published a final assessment report to conclude: "our assessment is that we should not proceed with CLI authentication [STIR/SHAKEN] at this time". The final report covers limitations of STIR/SHAKEN as above. ==See also==
Source: Wikipedia ↗
tickerdossier.comtickerdossier.substack.com