Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Intro to SHAKEN/STIR

This talk will discuss the latest advancements with STIR (Secure Telephone Identity Revisited) and SHAKEN (Signature-based Handling of Asserted information using toKENs), new tech standards that use well accepted public key cryptography methods to validate caller identification. We’ll discuss the path and challenges to getting this implemented industry wide, where this tech will fall short, and what we can do to limit exposure to call spam and fraud in the meantime.

  • Be the first to comment

  • Be the first to like this

Intro to SHAKEN/STIR

  1. 1. What if we had TLS for phone numbers? An introduction to SHAKEN/STIR Kelley Robinson Account Security Team, Twilio @kelleyrobinson © 2019 TWILIO INC. ALL RIGHTS RESERVED.
  2. 2. © 2019 TWILIO INC. ALL RIGHTS RESERVED. @kelleyrobinson
  3. 3. © 2019 TWILIO INC. ALL RIGHTS RESERVED. 54.6B US SPAM CALLS IN 2019 GREW 108% SINCE 2018 @kelleyrobinson https://www.businesswire.com/news/home/20191213005058/en/Spam-Calls-Grew-108-2019-Anti-Robocall-Bill
  4. 4. © 2019 TWILIO INC. ALL RIGHTS RESERVED. @kelleyrobinson
  5. 5. © 2019 TWILIO INC. ALL RIGHTS RESERVED. @kelleyrobinson
  6. 6. What if we had TLS for phone numbers? An introduction to SHAKEN/STIR © 2019 TWILIO INC. ALL RIGHTS RESERVED.
  7. 7. TABLE OF CONTENTS © 2019 TWILIO INC. ALL RIGHTS RESERVED. 1. Telephony "security" 2. SHAKEN/STIR explained 3. Regulation & Limitations 4. What will happen next?
  8. 8. © 2019 TWILIO INC. ALL RIGHTS RESERVED. TELEPHONY "SECURITY"
  9. 9. © 2019 TWILIO INC. ALL RIGHTS RESERVED. Telephony 30 Years Ago AMERITECH AT&T US WEST NYNEX Business Customer
  10. 10. © 2019 TWILIO INC. ALL RIGHTS RESERVED. Telephony Today AMERITECH AT&T US WEST NYNEX U U U U U U U U U U U U U U U CustomerBusiness
  11. 11. © 2019 TWILIO INC. ALL RIGHTS RESERVED. Acronym Hell PSTN - Public Switched Telephone Network. Global interconnected telephony. VoIP - Voice over IP. Internet-connected telephony. SIP - Session Initiation Protocol. Standard used to manage VoIP calling. PBX - Private Branch eXchange. Private enterprise network. @kelleyrobinson
  12. 12. ☎ Phun Phact The word "Hello" has only been around since 1827. Thomas Edison popularized the greeting and urged people to say "hello" when answering his phone. © 2019 TWILIO INC. ALL RIGHTS RESERVED. Source: What is Ahoy?
  13. 13. © 2019 TWILIO INC. ALL RIGHTS RESERVED. THE PROBLEM: UNWANTED ROBOCALLS
  14. 14. © 2019 TWILIO INC. ALL RIGHTS RESERVED. 📈 Robocall spam & spoofing • Automated dialing is cheap • A lot of access points to the PSTN • Easy to spoof "From" number @kelleyrobinson
  15. 15. © 2019 TWILIO INC. ALL RIGHTS RESERVED. @kelleyrobinson Legitimate use cases for masking phone numbers Doctor calls from personal # displays office number Business calls from contact center displays toll-free callback
  16. 16. © 2019 TWILIO INC. ALL RIGHTS RESERVED. 2009 Truth in Caller ID Act • Spoofing is illegal if there is "intent to defraud, cause harm or wrongly obtain anything of value" • Difficult to enforce @kelleyrobinson
  17. 17. ☎ Phun Phact Alexander Graham Bell campaigned to use "Ahoy-hoy" as the standard telephone greeting © 2019 TWILIO INC. ALL RIGHTS RESERVED. Source: What is Ahoy?
  18. 18. © 2019 TWILIO INC. ALL RIGHTS RESERVED. WHAT IS SHAKEN/STIR?
  19. 19. © 2019 TWILIO INC. ALL RIGHTS RESERVED. SHAKEN - Signature-based Handling of Asserted information using toKENs STIR - Secure Telephony Identity Revisited @kelleyrobinson
  20. 20. © 2019 TWILIO INC. ALL RIGHTS RESERVED. SHAKEN - Signature-based Handling of Asserted information using toKENs STIR - Secure Telephony Identity Revisited LEMON-TWIST - LEveraging MOdels for Enterprise dialiNg - Tnauth list With an enterprise Identity Secured Token @kelleyrobinson 😱
  21. 21. © 2019 TWILIO INC. ALL RIGHTS RESERVED. Calls would have their caller ID “signed” as legitimate by originating carriers and validated by other carriers before reaching consumers. SHAKEN/STIR defined | FCC.gov
  22. 22. © 2019 TWILIO INC. ALL RIGHTS RESERVED. Borrowing from other web authentication • Public Key Infrastructure (PKI) • Certificates • JSON Web Tokens (JWT) • Similar to email's DKIM/DMARC @kelleyrobinson
  23. 23. © 2019 TWILIO INC. ALL RIGHTS RESERVED. 📲Caller Originating Service Provider Other Service Providers Terminating Service Provider 🔒Signing Service ✅Verification Service 📳Callee 🏛Certificate Authorities SHAKEN/STIR signing and verification
  24. 24. © 2019 TWILIO INC. ALL RIGHTS RESERVED. Certificate authorities • Approved by the STI-GA (Secure Telephone Identity Governance Authority) • Managed by ATIS (Alliance for Telecommunications Industry Solutions) @kelleyrobinson
  25. 25. © 2019 TWILIO INC. ALL RIGHTS RESERVED. SIP IDENTITY HEADER
  26. 26. © 2019 TWILIO INC. ALL RIGHTS RESERVED. INVITE sip:14151234567@twilio.com:5060 SIP/2.0 Via: SIP/2.0/UDP example.com:5060 From: "Alice" sip:14155555555@5.6.7.8:5060;tag=123456789 To: "Bob" sip:14155550101@1.2.3.4:5060 Call-ID: 1-12345@5.6.7.8 CSeq: 1 INVITE Max-Forwards: 70 @kelleyrobinson
  27. 27. © 2019 TWILIO INC. ALL RIGHTS RESERVED. INVITE sip:14151234567@twilio.com:5060 SIP/2.0 Via: SIP/2.0/UDP example.com:5060 From: "Alice" sip:14155555555@5.6.7.8:5060;tag=123456789 To: "Bob" sip:14155550101@1.2.3.4:5060 Call-ID: 1-12345@5.6.7.8 CSeq: 1 INVITE Max-Forwards: 70 Identity: eyJhbGciOiAiRVMyNTYiLCJwcHQiOiAic2hha2VuIiwidHlwIjogInBhc 3Nwb3J0IiwieDV1IjogImh0dHBzOi8vY2VydGlmaWNhdGVzLnR3aWxpby5jb20vdGVz dGNlcnQuY3J0In0=.eyJhdHRlc3QiOiAiQSIsImRlc3QiOiB7InRuIjogWyIxNDE1NT U1MDEwMSJdfSwiaWF0IjogMTU0ODg1OTk4Miwib3JpZyI6IHsidG4iOiAiMTQxNTU1N TU1NTUifSwib3JpZ2lkIjogImExN2FmY2I1LTI5NjUtNDgzNy1hOWU2LTBlNmIzZjUy MTI1NCJ9.S_vqkgCk88ee9rtk89P6a6ru0ncDfSrdb1GyK_mJj-10hsLW- dMF7eCjDYARLR7EZSZwiu0fd4H_QD_9Z5U2bg;info=https:// certificates.twilio.com/testcert.crt;alg=ES256;ppt=shaken @kelleyrobinson
  28. 28. © 2019 TWILIO INC. ALL RIGHTS RESERVED. dGNlcnQuY3J0In0=.eyJhdHRlc3QiOiAiQSIsImRlc3QiOiB7InRuIjogWyIxNDE1NT U1MDEwMSJdfSwiaWF0IjogMTU0ODg1OTk4Miwib3JpZyI6IHsidG4iOiAiMTQxNTU1N TU1NTUifSwib3JpZ2lkIjogImExN2FmY2I1LTI5NjUtNDgzNy1hOWU2LTBlNmIzZjUy MTI1NCJ9. INVITE sip:14151234567@twilio.com:5060 SIP/2.0 Via: SIP/2.0/UDP example.com:5060 From: "Alice" sip:14155555555@5.6.7.8:5060;tag=123456789 To: "Bob" sip:14155550101@1.2.3.4:5060 Call-ID: 1-12345@5.6.7.8 CSeq: 1 INVITE Max-Forwards: 70 Identity: eyJhbGciOiAiRVMyNTYiLCJwcHQiOiAic2hha2VuIiwidHlwIjogInBhc 3Nwb3J0IiwieDV1IjogImh0dHBzOi8vY2VydGlmaWNhdGVzLnR3aWxpby5jb20vdGVz dGNlcnQuY3J0In0=.eyJhdHRlc3QiOiAiQSIsImRlc3QiOiB7InRuIjogWyIxNDE1NT U1MDEwMSJdfSwiaWF0IjogMTU0ODg1OTk4Miwib3JpZyI6IHsidG4iOiAiMTQxNTU1N TU1NTUifSwib3JpZ2lkIjogImExN2FmY2I1LTI5NjUtNDgzNy1hOWU2LTBlNmIzZjUy MTI1NCJ9.S_vqkgCk88ee9rtk89P6a6ru0ncDfSrdb1GyK_mJj-10hsLW- dMF7eCjDYARLR7EZSZwiu0fd4H_QD_9Z5U2bg;info=https:// certificates.twilio.com/testcert.crt;alg=ES256;ppt=shaken { "attest": "A", " Attestation Level "dest": {"tn":["14155550101"]}, " Destination Phone # "iat": 1548859982, "orig": {"tn":"14155550171"}, " Origination Phone # "origid": "a17afcb5-2965-4837-a9e6-0e6b3f521254" } " Orig. Customer ID @kelleyrobinson
  29. 29. © 2019 TWILIO INC. ALL RIGHTS RESERVED. Attestation Levels I know this customer and they can use the calling number A ✅ I know the customer but I don't know the calling number B 🤷 I don't know the customer but I know where this call came from C 🤔
  30. 30. © 2019 TWILIO INC. ALL RIGHTS RESERVED. ] MTI1NCJ9.S_vqkgCk88ee9rtk89P6a6ru0ncDfSrdb1GyK_mJj-10hsLW- dMF7eCjDYARLR7EZSZwiu0fd4H_QD_9Z5U2bg;info=https:// certificates.twilio.com/testcert.crt;alg=ES256;ppt=shaken INVITE sip:14151234567@twilio.com:5060 SIP/2.0 Via: SIP/2.0/UDP example.com:5060 From: "Alice" sip:14155555555@5.6.7.8:5060;tag=123456789 To: "Bob" sip:14155550101@1.2.3.4:5060 Call-ID: 1-12345@5.6.7.8 CSeq: 1 INVITE Max-Forwards: 70 Identity: eyJhbGciOiAiRVMyNTYiLCJwcHQiOiAic2hha2VuIiwidHlwIjogInBhc 3Nwb3J0IiwieDV1IjogImh0dHBzOi8vY2VydGlmaWNhdGVzLnR3aWxpby5jb20vdGVz dGNlcnQuY3J0In0=.eyJhdHRlc3QiOiAiQSIsImRlc3QiOiB7InRuIjogWyIxNDE1NT U1MDEwMSJdfSwiaWF0IjogMTU0ODg1OTk4Miwib3JpZyI6IHsidG4iOiAiMTQxNTU1N TU1NTUifSwib3JpZ2lkIjogImExN2FmY2I1LTI5NjUtNDgzNy1hOWU2LTBlNmIzZjUy MTI1NCJ9.S_vqkgCk88ee9rtk89P6a6ru0ncDfSrdb1GyK_mJj-10hsLW- dMF7eCjDYARLR7EZSZwiu0fd4H_QD_9Z5U2bg;info=https:// certificates.twilio.com/testcert.crt;alg=ES256;ppt=shaken - cryptographic signature - certificate URL - algorithm - passport type @kelleyrobinson
  31. 31. © 2019 TWILIO INC. ALL RIGHTS RESERVED. ENFORCEMENT
  32. 32. © 2019 TWILIO INC. ALL RIGHTS RESERVED. TRACED Act • Signed into law 2019-12-30 • Allows $10,000 fine for offenders • Requires telecom companies to implement call authentication in the next 18 months (Telephone Robocall Abuse Criminal Enforcement Deterrence) @kelleyrobinson
  33. 33. © 2019 TWILIO INC. ALL RIGHTS RESERVED. • VOIP: Implement STIR/SHAKEN • Non VOIP: "Reasonable measures to implement an effective call authentication framework" TRACED Act Authentication Requirements @kelleyrobinson
  34. 34. ☎ Phun Phact Not every 555 number is fake. Only 555-0100 through 555-0199 are specifically reserved for fictional use. © 2019 TWILIO INC. ALL RIGHTS RESERVED. Source: TV Tropes
  35. 35. © 2019 TWILIO INC. ALL RIGHTS RESERVED. LIMITATIONS OF SHAKEN/STIR
  36. 36. © 2019 TWILIO INC. ALL RIGHTS RESERVED. "The phone network is an ungodly beast." - Randy Weinberger, curmudgeon, telecom expert
  37. 37. © 2019 TWILIO INC. ALL RIGHTS RESERVED. Part of the ungodly beast: Time-division multiplexing (TDM) • Physical switches used by the PSTN • TRACED Act explicitly acknowledges TDM as a potential burden to SHAKEN/STIR rollout @kelleyrobinson
  38. 38. © 2019 TWILIO INC. ALL RIGHTS RESERVED. The long tail of service providers • 4000 service providers in the US alone • Requires significant investment to comply @kelleyrobinson
  39. 39. © 2019 TWILIO INC. ALL RIGHTS RESERVED. And what about... • Disconnected and reassigned phone numbers? • International numbers and calls? • Text messages? @kelleyrobinson
  40. 40. ☎ Phun Phact Phone calls from The New York Times showed up as (111) 111-1111 until 2011. They now use a (212) number you can actually call back. © 2019 TWILIO INC. ALL RIGHTS RESERVED. Source: NYTimes
  41. 41. © 2019 TWILIO INC. ALL RIGHTS RESERVED. WHAT HAPPENS NEXT?
  42. 42. © 2019 TWILIO INC. ALL RIGHTS RESERVED. Ongoing legislation • FCC gave telcos authority to block unwanted robocalls without explicit subscriber permission • TRACED Act enforcement will begin at the end of 2020 @kelleyrobinson
  43. 43. © 2019 TWILIO INC. ALL RIGHTS RESERVED. Motivations driving implementation • Consumer pressure to decrease robocalls • Business pressure to increase answered calls @kelleyrobinson
  44. 44. © 2019 TWILIO INC. ALL RIGHTS RESERVED. APPLICATION SECURITY PROTECTIONS TODAY
  45. 45. © 2019 TWILIO INC. ALL RIGHTS RESERVED. Mitigate damage from unwanted inbound calls • Protect your numbers from web scraping bots • Don't assign sequential phone numbers to your employees • Challenge suspicious callers with a voice CAPTCHA • Use actual authentication in your call centers • Install the FCC blacklist DB on your PBX @kelleyrobinson
  46. 46. © 2019 TWILIO INC. ALL RIGHTS RESERVED. Apps for spam detection • Nomorobo, Robokiller, Call App, etc. • AT&T partnership with Hiya @kelleyrobinson
  47. 47. Telephony is complicated. © 2019 TWILIO INC. ALL RIGHTS RESERVED.
  48. 48. Telephony is complicated. SHAKEN/STIR won't fix everything. © 2019 TWILIO INC. ALL RIGHTS RESERVED.
  49. 49. Telephony is complicated. SHAKEN/STIR won't fix everything. But it will help rebuilt trust in telephony. © 2019 TWILIO INC. ALL RIGHTS RESERVED.
  50. 50. THANK YOU @kelleyrobinson

×