The SIP School's Graham Francis discusses current methods and training for combating robocalls.
Getting Your Robocall Education
Robocalls are annoying, frustrating, and distracting. Although there are millions of complaints, the phone keeps ringing. I was speaking with Graham Francis of The SIP School, which has added STIR/SHAKEN training into the SIP security section of its SSCA® certification to help combat robocalling. He was able to provide some insights into the problem and solutions.
What is the state of robocalls?
In the U.S., you can check out the YouMail Robocall Index, which shows the total number of robocalls for each month, as well as showing state specific numbers. In November 2018, there were 5.1 billion robocalls across the U.S. This is not a ”U.S. only” problem, with robocalls affecting everyone around the world.
What does caller ID really mean?
Caller ID is where a caller’s number is displayed on your phone, allowing you to decide whether to answer or not. It can be faked.
Explain PSTN caller ID spoofing.
Caller ID spoofing is where the caller can actually mask their own number and replace it with another in order to ”trick” the recipient into accepting the call.
It’s worth remembering, though, that there are legitimate cases of caller ID spoofing that we want to preserve. For example, if a medical doctor is calling back a patient using their mobile phone, the doctor wants to be able to show the caller ID of his office rather than disclosing his personal mobile phone number or just showing a blocked number.
Has the expansion of VoIP stimulated robocalling?
VoIP is a software-based service, and so it can be easily configured to run anywhere and at extremely low cost to the scammers. Unfortunately, there are many services on the Web that allow you to get up and running quickly to deliver robocalls regardless of where the service originates. This makes it possible for fraudsters to use these VoIP-based systems to call U.S.-based numbers (for example) from outside the U.S., making it very hard to trace the origin of the call and almost impossible to prosecute the originators. A lot of times, legitimate businesses are having their own numbers used by scammers and thus getting all the complaint calls back. It’s a mess, and it will probably get a lot worse before industry wide solutions are adopted.
What are STIR and SHAKEN and how do they work?
STIR – Secure Telephone Identity Revisited – is a working group in the IETF that has published a number of RFCs relating to new SIP standards and header fields about securing identity. Whereas SHAKEN -- Signature-based Handling of Asserted information using toKENs – is a joint ATIS/SIP Forum recommendation developed by the IP-NNI Task Force that defines how to use the STIR standards in SIP.
STIR/SHAKEN in a nutshell:
Instead of just having a P-Asserted-Identity header field  for the ‘Calling number’ (as shown in the image from The SIP School), a SIP INVITE sent using STIR/SHAKEN will contain an Identity header  field.
The Identity field carries a signed authentication token which indicates who inserted the P-Asserted-Identity. This token is called a Persona ASSertion Token or PASSporT. Once the signature is added, any SIP entity that receives the INVITE can validate and verify the signature.
The STIR/SHAKEN architecture is shown in the graphic below. You can see the SIP trapezoid, with calling and called user agents at the bottom, and a server in each domain, such as a proxy or PBX or SBC. The difference is that the INVITE  which is exchanged between the domains, shown in red, is a ‘Signed’ INVITE and contains the PASSporT token. Also, there is a new Certificate Store which allows any downstream element to retrieve the certificate used to sign the Passport.
Once deployed, this mechanism will allow regulations and industry best practices to be developed to track down and block bad actors who attempt to spoof caller IDs.
Can anyone solve the problem or do you need training?
Some carriers provide anonymous call rejection features; others employ their own call blocking techniques, and some refer to central databases that are updated with known problem numbers. There is no one single method that works all of the time, as calls can be coming from anywhere with new numbers being used all the time.
Many consumer devices allow you to block numbers, but that tends to be on a number-by-number basis, so a lot of calls still get through. Apps such as Truecaller, RoboKiller, Hiya, and more all exist to try to stop a robocall and block it from making your phone ring – though again, they don’t work all of the time.
Ultimately, the problem will need to be solved by all carriers across the world working together to implement STIR/SHAKEN. This will take time but will be worth it in order to give people confidence again when answering calls.
To get an idea of how progress is going, details of the various service providers and their current implementation status can be found here.
What should training include?
People need to understand encryption as well as Web-based security mechanisms, especially how a Public Key Infrastructure (PKI) works along with all the underlying technologies supporting them such as DNS, etc.
Understanding SIP messaging is important, as this is where the new headers are implemented in order to make STIR/SHAKEN work. Training should also include all that’s being published by the ATIS/SIP Forum partnership. On top of that, training should include using testbeds for vendors and providers such as the one provisioned by Neustar.