
Understanding STIR/SHAKEN – New Anti-Robocalling Protocol - randomdrake
https://transnexus.com/whitepapers/understanding-stir-shaken/
======
th0ma5
Always want to fill out the old
[https://craphound.com/spamsolutions.txt](https://craphound.com/spamsolutions.txt)
form with these ideas. Like the open world / closed world AI problem.

~~~
atoav
It might seem odd to north americans, but I never received a single robo call
my entire life.

I received one spam call in the last 10 years, and the guy exused himself when
I told him what he is doing is illegal.

This feels a bit like “weapon laws won’t solve anything” and “social
healthcare can’t ever work”. So either Europe is living in an weird strand of
alternate reality, or maybe some problems _are_ solvable if you really want
to.

~~~
bewo001
It's a regulation problem, not a technical one. In Germany --and probably in
other EU countries--, the telco must make sure that a caller is authorized to
use a certain number as origin. STIR just shifts that responsibility to some
other entity.

If a call originates from an untrusted network, you remove the number or
indicate that it is user-provided and probably fake. It would help if phones
would properly display the difference (P-Asserted-Id present or not).

~~~
eli
Isn't it also the case that in Germany the caller pays for the wireless
airtime when calling a cellphone, not the recipient?

~~~
milankragujevic
Isn't that the case everywhere? The caller pays for the call, the recipient
doesn't? Where are you? My grandma has a prepaid SIM that I call and she never
pays anything, just a small amount every few months to keep the number alive.

~~~
tialaramex
The US had a situation where the following happened

1\. They issued all their phone numbers according to a geographic system, the
North American Numbering Plan. Most cities would have one prefix, some larger
ones gradually needed two or more, but basically you can tell from a number if
the call is local.

2\. Calls to local numbers were cheap or free, because routing a call on a
circuit a few miles costs essentially nothing. Just spread the cost over all
subscribers, it's fine.

3\. Mobile telephones exist. NANP is full. How do we number these new phones?
Let's give them local numbers wherever you're buying the phone.

4\. Oh, but calls for a mobile cost more. Do we make everybody pay extra for
the small fraction with mobiles? No. Can we charge callers for calling a
mobile? They'd have no way to know they're getting charged because the numbers
are local! OK, so let's charge _mobile owners_ when they receive a call.

5\. Then everybody buys a mobile phone.

The end state is always the same, everybody eats the cost of maintaining a
network and calls are basically free. But the way they got there was different
from most countries.

~~~
moftz
I remember when staying with relatives when I was younger and calling long
distance home for a minute to tell my mom to call my back on her cell so the
family could talk for cheaper. I'd wait around until it was late enough in the
evening that nighttime rates for her cell were cheaper than the long distance
rate.

------
Animats
This clearly wasn't designed by telephony people. It's very web-like. The
authentication info is bigger than the call data required to set up a call.

Mostly this is for VOIP. Telcos with TDM or CDMA transmission have serious
backwards compatibility problems. Ones who peer only with SS7 have problems
but those can probably be overcome.

One big problem is that there are off-brand telcos who specialize in services
for call centers. "The Dialer Hardware is being hosted in our premises at Los
Angeles - USA, where we have our own switch and termination facility with over
100 Carriers. We also have a redundant switch in New York connected to LA
through a fat Fibre pipe."[1] Do those guys get to sign calls? Or what?

[1] [http://www.callcentersindia.com/showall-
orig.php?value1=1126...](http://www.callcentersindia.com/showall-
orig.php?value1=11268_Worlds_No_1_Predictive_Dialer-
Concerto_Ensemble_Pro_60_on_Monthly_Subscription_basis)

~~~
michaelt

      Do those guys get to sign calls? Or what?
    

One of the current problems is a ban on robocalls _exists_ (for calls to cell
phones without consent, at least), as does a ban on IRS scam calls, Microsoft
scam calls etc, but the bans can't be enforced because when a victim complains
there's no way to trace the guilty party. After all, the caller ID was faked.

So the call signing doesn't have to be "a body that will block all robocalls
and scams" it only has to be "a body that can be sued and fined". You rotate
certificates weekly and issue a certificate to any company willing to make a
deposit of $X against possible fines. Then adjust $X until robocalls and scam
calls with fake caller IDs stop happening.

Of course, even if that stopped robocalls/scam calls with faked caller ID,
profitable scams and robocalls would be able to use burner cell phones. So
it's not a perfect solution by any means.

~~~
tpxl
>there's no way to trace the guilty party

Surely the telco can trace who made the call?

~~~
JdeBP
Usually, the only available information is the immediately adjacent carrier
through which the call came.

------
Barrin92
Instead of all these fancy technical counter-measures I think this really
ought to be a matter of the law. Why not ban cold calls, like in Germany? Is
there anyone on this planet who actually enjoys constant advertisement and
harassment on their phone?

>According to Sec. 7 (2) UWG; telephone calls to consumers for sales purposes
are illegal if the calling company is not in possession of an explicit and
effective declaration of consent by the consumer. If the call is made to
another business, it is sufficient to prove presumptive consent.

~~~
Zarel
The worst phone spam is already illegal in the US. The problem is, in the
current system, it's impossible to figure out who's doing it. That's one of
the things STIR/SHAKEN is supposed to fix.

~~~
atoav
Law enforcement doesn’t seem to work then. On my German phone I received one
(!) Spam call in 10 years, and that was a human who didn’t knew about the law
and excused himself when I told him about it.

Sometimes I have the feeling that people in the US just accept a lot of what
happens in their nation as unchangeable in a quite fatalistic way. Problems
that are literally solved in nearly every other nation are frequently painted
as unsolvable. Does this have to do with the role of the state?

~~~
mrunkel
This is a self reinforcing system.

Public services (including law enforcement) are starved for resources by
conservative (small government) politicians who can then say "see, government
doesn't work, why should they get all this money" and proceed to reduce
funding further.

This leads to the populace accepting that "government doesn't work" and that
"taxes are too high."

This cycle has been going on for about 40 years now.

It appears it may be ending with the rise of "leftist" politicians like Bernie
Sanders gaining some traction.

It also leads to terrible things like civil asset forfeiture which literally
turns police officers into highway bandits. (But it's ok, they only steal from
the bad guys).

~~~
cotelletta
Is the situation any better in guaranteed blue states? California seems like a
perfect example of government overreach and wasteful spending that enables the
exact same abuse that supposedly only greedy capitalists engage in.

Is the high speed train done yet?

~~~
mrunkel
The idea that you espouse in that California exhibits government overreach and
wasteful spending is exactly what I'm talking about.

California has been extremely budget constrained ever since the Prop 13 passed
in 1978. They've been fighting against that ever since. Your very words shout
this ingrained bias. "wasteful spending" and "government overreach"... I think
you mean "provide services" and "regulation."

I lived a great deal of my life in California and now live in Germany. The
difference in people's relationship with the government and taxes is palpable.

> Is the high speed train done yet?

It's my understanding the project was cancelled.

------
MagicPropmaker
A little trick that will work for "geeks" but won't scale is:

\- My personal phone number is in a remote area code, of a sparsely populated
state, from where I don't know anybody.

\- Any phone calls that come from this area code are blocked (well, actually,
they have a silent ring tone.)

This gets rid of about 90% of the spam/robocalls because these days, 90% of
them spoof a local areacode/exchange.

Of course, if everyone did this, they'd stop doing it. But it works for now
and makes my personal cell phone useful. I did have to do some finagling to
get my carrier (T-Mobile) to give me a phone with an area-code of a different
state.

I don't have a lot of faith that STIR/SHAKEN will help in any real way.
They'll just have to rent numbers from people who don't care about the law,
and/or registered with bogus information so it won't be worth anyone's while
to find them.

~~~
cstejerean
How did you set the ring tone for this entire prefix? I’ve been looking for
some easy way to do this on iOS, I also have a phone number from an area code
+ prefix where I don’t know anyone and all calls from there are spam.

~~~
Moru
You can block with wildcard in some android phones.

------
alphabetter
Several people have asked about the management of certificates for this
solution. There is indeed a seperate certificate management body created
called the Secure Telephone Identity Governance Authority
([https://sites.atis.org/insights/secure-telephone-identity-
go...](https://sites.atis.org/insights/secure-telephone-identity-governance-
authority-launched-in-major-industry-effort-to-combat-unwanted-robocalling/)).

The Governance Authority will define policies on how certificates are to be
issued.

Any old certificate from a web CA won't be accepted by the system.

~~~
tialaramex
For what it's worth, mostly private CAs are garbage. Bad at the crypto parts,
bad at the identity problem, bad at their own security. Just pretty bad.

It doesn't really matter, because mostly bad guys don't see the CA as the weak
point, if anything what is remarkable about the Web PKI is that we did a good
enough job elsewhere that actual bad guys sometimes try to attack the Web PKI.
Not often, but it happens at all.

It's like finding out you did a good enough job securing your home that an
actual burglar picked your front door lock! Yes, the burglar still got in
because of course no door look is effective against somebody who knows what
they're doing and has plenty of time to try - but still, apparently you
actually did a good enough job that they weren't able to just climb in through
a side window or force open a patio door. Go you.

If STIR/SHAKEN turns out to have the CA function as its weak point then
everybody involved should clap themselves on the back for an extraordinarily
good job.

------
stendinator
I'm from Switzerland and I only ever get spam calls from the US or India - how
come?

~~~
anilakar
Most telemarketing and scammer calls originate from UK, Norway and Sweden
here. I used to ignore foreign numbers completely, but being on-call nowadays
and having customers abroad prevents such easy countermeasures.

~~~
oarsinsync
Amusingly, the last batch of spam calls I got to a UK number were coming
through with caller ID from Switzerland or Italy

------
Latteland
Sounds like a nice improvement. It appears to be a web of trust scenario,
where you trust anyone else who is verified. Eventually I'm sure some spammer
will break through into the circle. I hope that if there is some spammer
penetration (so much money here it's inevitable) every phone company should be
able to track back where that last phone call came from and block them then.

~~~
tyingq
_" so much money here"_

I kinda wonder about that. Both the "semi legit" and "full on spam" calls I
get just aren't credible. It's hard to imagine anyone falling for it. Or, I'll
press "1" to hear their BS pitch, and go on hold forever.

It's so cheap to do, that I suspect there's an endless queue of people trying
to make money, but failing. But "failing" costs them almost nothing.

So, maybe raising the cost of doing it will kill off the amateurs.

~~~
bobbiechen
It may be intentionally unbelievable - see the Microsoft Research paper about
"Nigerian prince" email scams:

 _By sending an email that repels all but the most gullible the scammer gets
the most promising marks to self-select, and tilts the true to false positive
ratio in his favor._

[https://www.microsoft.com/en-us/research/publication/why-
do-...](https://www.microsoft.com/en-us/research/publication/why-do-nigerian-
scammers-say-they-are-from-nigeria/)

~~~
tyingq
Sure, but that approach requires a low cost per call/email. Things that raise
the effective cost will make that approach less attractive.

------
patrickg_zill
I read through a summary from a different source and I was not impressed.

Any voip phone, and of course smart phone, can be easily set up for client
side certificates.

Landlines and anything else that can be accessed via SS7 methods are already
secure in terms of identity.

And that's it. Client side certs and you are done...

~~~
lemcoe9
SIP over TLS (which uses SRTP) is great, but as soon as it hits a vendor
downstream that doesn't support it, it immediately gets trans-coded into
plain-ole-SIP and is just as insecure as any other VoIP call. This is not a
solution by any means, because it assumes that the entire call path is TLS-
enabled, which, in my experience, is impossible on the public telephony
network.

~~~
patrickg_zill
Well I am referring to the use of client certificates for identity.

You might not need to have SRTP in the middle of a big telecom network, like
one that handles millions of calls per day, just at the edges where you
interconnect with others.

------
thosakwe
I’ve noticed two main things about the many robocalls/spamcalls I’ve received
(my carrier actually has spam blocking, and I haven’t received very many since
activating it)

1\. Most calls I receive from numbers _not_ in my contact list are spam. They
also usually just call once, whereas if it’s a legit call that I was
expecting, but neglected to pick up, they’ll call again within a few minutes.
2\. I’ll get robocalls from one area code at a time. I remember getting calls
from 772 one week, 727 the next, 643 a few days later, etc.

Obviously it won’t crush spam entirely, but I can imagine that fixing even
just these two things would filter out a boatload if spam from reaching
consumers.

Oh, and calls from “Scam Likely” should _never_ reach my phone to begin with.

~~~
ovi256
The first rule would have a short half-life, spam systems would just learn to
call again.

The rolling area codes you observed are already an anti-banlist mechanism.

Maybe a loose superposition of short half-life rules would work, like it works
for email spam.

------
m0zg
I do the following: I never give my real phone number to anybody other than
people I directly know. Everybody else gets my Google Voice number, which is
set up to directly go into voicemail without ever ringing. As far as I can
tell, I receive 2-3 robocalls a day, so GV just blackholes them for me. Every
now and then someone leaves a voicemail, and I read that, but it's very rare
that a robocall leaves a voicemail because Google call screener requires them
to enter a number to do so.

------
_underfl0w_
Hopefully this CA process will have a better threat model - that is, one in
which they're prepared for state-level malicious actors such as DarkMatter.

------
nerdbaggy
Anybody know who the CA is now for these? Couldn’t find much

~~~
ocdtrekkie
Since I saw the URL
[https://certificates.clearip.com](https://certificates.clearip.com) in the
link, went to that URL and it offers a ClearIP root certificate. ClearIP being
a product from the company who wrote this blog.

I wouldn't be entirely surprised if the carriers themselves were acting as the
root CA for their given calls. There's no reason to tie it to the CAs on the
Internet.

