Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

11/12/2019
01:00 PM
Mark B. Cooper
Mark B. Cooper
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

SHAKEN/STIR: Finally! A Solution to Caller ID Spoofing?

The ubiquitous Caller ID hasn't changed much over the years, but the technology to exploit it has exploded. That may be about to change.

Fraud and abuse in the form of robocalling, and more specifically illegally spoofed calling, is the No. 1 consumer complaint to the Federal Communications Commission (FCC). Robocalls make up nearly half of all phone calls, so frustrated consumers simply don't answer incoming calls and businesses can't get through to customers when they need to reach them.

At the root of the problem is the ease of spoofing caller IDs. Anyone can spoof their outbound Caller ID by using an online service like Spooftel or SpoofCard. These services are meant to protect the caller's number from being displayed and claim they aren't intended for malicious purposes, but the fact that they exist indicates the breadth of the problem.

For cybersecurity professionals, Caller ID spoofing is a particularly pernicious problem. To gain the trust of their intended victim, hackers hide behind a friend, company, or institution associated with their target's information. Typically, they will find a trusted number and spoof it.

Caller identifications are determined during the second ring of a call. In this short period, spoofers use frequency shift keying to alter the binary format of the number, a process that can be automated. Current Caller ID technology was developed without any consideration that it could be used nefariously and hasn't changed much, while the technology to exploit it has exploded.

The FCC Steps in with SHAKEN and STIR
FCC chairman Ajit Pai challenged the telecommunications industry in November 2018 to adopt a caller authentication system to combat this growing nuisance or face regulatory intervention. This has spurred the telecommunications industry to develop a framework of interconnected standards called SHAKEN (Secure Handling of Asserted information using toKENs) and STIR (Secure Telephony Identity Revisited) that defines how telephone service providers should work together to ensure calling numbers have not been spoofed.

As with many secure platforms on the Internet, digital identity certificates that leverage public key infrastructure (PKI) will make it possible to verify that the Caller ID information is accurate and can be trusted. SHAKEN/STIR shifts responsibility for identity verification from the call originator to the originating telephone company routing the call. At a high level, each telephone service provider will obtain its digital certificate from a certificate authority that is trusted by other telephone service providers. The certificate technology enables the called party to verify that the calling number is accurate, as asserted by a trusted source.

As shown in the framework diagram below, telecommunication service providers must implement a certificate management system to create and manage the public and private keys and digital certificates used to sign and verify Caller ID details. The private keys are used by the service provider to sign calls. The public key is then used by other service providers to verify that the signature was actually created by the private key associated with a trusted provider.

Public key infrastructure (PKI) is the backbone of SHAKEN/STIR, using digital certificates based on common public key cryptography techniques to ensure the calling number of a telephone call has not been spoofed. Source: PKI Solutions
Public key infrastructure (PKI) is the backbone of SHAKEN/STIR, using digital certificates based on common public key cryptography techniques to ensure the calling number of a telephone call has not been spoofed. Source: PKI Solutions

Also Applies to Enterprise VoIP
Although SHAKEN is a carrier-centric framework that sets out a standard way to implement STIR on the Internet Protocol-based network-to-network interface (IP-NNI), it will also affect enterprises that have their own Voice over IP (VoIP) infrastructure. In the next several years, such enterprises will be expected to set up call authentication through the SHAKEN/STIR delegation feature. Carriers can delegate authority for telephone numbers assigned to enterprises, making them a participant in the SHAKEN/STIR ecosystem.

For this ecosystem to work, the industry — technology infrastructure, telecommunications, enterprises, and government entities — needs to work together to ensure call identities are universally trusted. As this technology standard evolves and starts to be deployed, security will be required at every level of SHAKEN/STIR implementations. The players involved need to educate themselves on the many places where things can go wrong, including bad policies, lax security controls, and weak operational practices. Bad actors will absolutely try to subvert this security to initiate "validated" calls.

The telecommunications landscape is vast and diverse, with players ranging from massive corporations to virtual telcos that aggregate services and service providers serving niche clients or small geographies. For SHAKEN/STIR to accomplish its goal of re-establishing trust in the phone system, every provider will need to come up to speed on the nuances of setting up a PKI correctly.

Chances are, however, that not every provider will have the necessary expertise in-house but may decide to forge ahead on their own. When that happens, things invariably will go wrong; all it will take is one weakness in a PKI implementation for spoofers to get back in the game. As more telcos implement SHAKEN/STIR, the value on the underground of having a provider's certificate in a compromised state is significant. All of a sudden, robocallers with a validated Caller ID can start making spoofed robocalls again after everyone has started to trust Caller IDs again. There is a large financial incentive for robocallers to identify weaknesses and exploit them for financial viability.

A Long Slog Ahead
Although the FCC wants to accelerate the timeline for SHAKEN/STIR implementations across the industry, the reality is that it's going to take time. Rather than rushing ahead, a far better approach will be to invest the time and resources necessary to ensure that the system is implemented properly and highly secure. Things are moving ahead with the all-important role of Secure Telephone Identity Policy Administrator (STI-PA) being awarded to iconectiv in May 2019. In this role, iconectiv is responsible for applying and enforcing the rules defined for the SHAKEN/STIR framework.

The certificate policy will be published soon. It will lay out the rules of engagement, but without it there is significant uncertainly. Do you have to have an audit? If so, what does that audit look like? And what does it have to look at? What requirements do organizations have for security? What about availability, background screening, and training?

While these pieces are coming together, I would encourage everyone in the ecosystem to proactively line up the necessary resources and expertise to implement SHAKEN/STIR in the most secure way possible. If in-house know-how is lacking, companies should track down experts who can help get the PKI implemented correctly and address problems such as cloud vs. on-premises deployment and scalability. There's no time to waste: The integrity and trust of the telephony system depends on getting this right.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Account Fraud Harder to Detect as Criminals Move from Bots to 'Sweat Shops."

Mark B. Cooper, President and Founder of PKI Solutions, has been known as "The PKI Guy" since his early days at Microsoft. Mark has deep knowledge and experience in all things public key infrastructure (PKI), including Microsoft Active Directory Certificate Services ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3035
PUBLISHED: 2021-04-20
An unsafe deserialization vulnerability in Bridgecrew Checkov by Prisma Cloud allows arbitrary code execution when processing a malicious terraform file. This issue impacts Checkov 2.0 versions earlier than Checkov 2.0.26. Checkov 1.0 versions are not impacted.
CVE-2021-3036
PUBLISHED: 2021-04-20
An information exposure through log file vulnerability exists in Palo Alto Networks PAN-OS software where secrets in PAN-OS XML API requests are logged in cleartext to the web server logs when the API is used incorrectly. This vulnerability applies only to PAN-OS appliances that are configured to us...
CVE-2021-3037
PUBLISHED: 2021-04-20
An information exposure through log file vulnerability exists in Palo Alto Networks PAN-OS software where the connection details for a scheduled configuration export are logged in system logs. Logged information includes the cleartext username, password, and IP address used to export the PAN-OS conf...
CVE-2021-3038
PUBLISHED: 2021-04-20
A denial-of-service (DoS) vulnerability in Palo Alto Networks GlobalProtect app on Windows systems allows a limited Windows user to send specifically-crafted input to the GlobalProtect app that results in a Windows blue screen of death (BSOD) error. This issue impacts: GlobalProtect app 5.1 versions...
CVE-2021-3506
PUBLISHED: 2021-04-19
An out-of-bounds (OOB) memory access flaw was found in fs/f2fs/node.c in the f2fs module in the Linux kernel in versions before 5.12.0-rc4. A bounds check failure allows a local attacker to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information. The hi...