American telecoms will compete with telephone spam

In the US, subscriber authentication technology is gaining momentum - the SHAKEN / STIR protocol. Let's talk about the principles of its operation and potential implementation difficulties.

/flickr/ Mark Fischer / CC BY-SA

Problem with calls

Unsolicited robo calls are the most common reason for consumer complaints to the US Federal Trade Commission. In 2016 the organization recorded five million hits, a year later this figure exceeded seven million.

These spam calls don't just take people's time. Automatic call services are used to extort money. According to YouMail, in September last year, 40% of the four billion robo calls were committed by scammers. During the summer of 2018, New Yorkers lost about $XNUMX million in transfers to criminals who called them on behalf of the authorities and extorted money.

The problem was brought to the attention of the US Federal Communications Commission (FCC). Organization representatives issued a statement, which required telecommunications companies to implement a solution to combat telephone spam. This solution was the SHAKEN/STIR protocol. In March, joint testing held AT&T and Comcast.

How the SHAKEN/STIR protocol works

Telecom operators will work with digital certificates (they are based on public key cryptography) that will allow the verification of callers.

The verification procedure will proceed as follows. First, the operator of the person making the call receives a request SIP INVITE to establish a connection. The provider's authentication service checks information about the call - location, organization, caller's device details. Based on the results of the check, the call is assigned one of three categories: A - all information about the caller is known, B - the organization and location are known, and C - only the geographic location of the subscriber is known.

After that, the operator adds a message with a time stamp, call category and a link to an electronic certificate to the INVITE request header. Here is an example of such a message from GitHub repository one of the American telecoms:

{
	"alg": "ES256",
        "ppt": "shaken",
        "typ": "passport",
        "x5u": "https://cert-auth.poc.sys.net/example.cer"
}

{
        "attest": "A",
        "dest": {
          "tn": [
            "1215345567"
          ]
        },
        "iat": 1504282247,
        "orig": {
          "tn": "12154567894"
        },
        "origid": "1db966a6-8f30-11e7-bc77-fa163e70349d"
}

Further, the request goes to the provider of the called subscriber. The second operator decrypts the message using the public key, compares the content with the SIP INVITE, and verifies the authenticity of the certificate. Only after that a connection is established between the subscribers, and the "receiving" party receives a notification about who is calling him.

The whole verification process can be represented by a diagram:

According to experts, caller verification will take no more than 100 milliseconds.

Opinions

Как noted in the USTelecom association, SHAKEN/STIR will give people more control over the calls they receive, making it easier for them to decide whether or not to pick up the phone.

Read on our blog:

• Botnet “spams” through routers: what you need to know
• DDOS and 5G: thicker "pipe" - more problems

But there is an opinion in the industry that the protocol will not become a “silver bullet”. Experts say scammers will simply use workarounds. Spammers will be able to register a "dummy" PBX in the operator's network in the name of an organization and make all calls through it. In case of PBX blocking, it will be possible to simply re-register.

On words representative of one of the telecoms, simple verification of the subscriber using certificates is not enough. To stop scammers and spammers, you need to allow ISPs to automatically block such calls. But for this, the Communications Commission will have to develop a new set of rules that will regulate this process. And the FCC can deal with this issue in the near future.

Since the beginning of the year, congressmen are considering a new bill that will oblige the Commission to develop mechanisms to protect citizens from robo-calls and monitor the implementation of the SHAKEN / STIR standard.

/flickr/ Jack Sem / CC BY

It should be noted that SHAKEN/STIR have implemented in T-Mobile - for some smartphone models and plan to expand the range of supported devices - and Verizon - its operator's customers can download a special application that will warn about calls from suspicious numbers. Other US carriers are still testing the technology. They are expected to complete testing by the end of 2019.

What else to read in our blog on Habré:

• The battle for net neutrality is a chance for a comeback
• Situation: Japan may restrict downloading content from the network - we understand and discuss
• The new standard based on PCIe 5.0 will "link" the CPU and GPU - what is known about it

Source: habr.com