Cybercriminals are eroding trust in voice services with 5.1 billion robocalls a month duping consumers with phone scams. The robocall strike-force has socialized the STIR/Shaken (Secure Telephony Identity Revisited/Signature-based handling of Asserted Information using tokens) framework to combat robocalling. Learn about the framework, limitations and security architectures for robust implementation.
Learning Objectives:
1: Become part of the cybersecurity community that is aware of voice crime specifically robocalling.
2: Review the framework that many service providers are working on to thwart.
3: Support your voice professional counterparts in implementing secure architectures.
4. #RSAC
4
Americans lost an estimated $9.5B in Phone scams in 2017
- Harris Poll/ Truecaller survey -
Where Are We At in the US?
Source: https://blog.truecaller.com/2017/04/19/truecaller-us-spam-report-2017/
Youmail: https://robocallindex.com/
Source: Robocall Index by Youmail
10. #RSAC
10
Global VoIP market to grow to $190B by 2024
TDM inching towards EOL
Robocall and scams are one-third of all calls
Business Case for Addressing the Issues
13. #RSAC
Phone Technologies
13
Scope of STIR SHAKEN: IP/SIP calls
50% of suspect illegal Robocalls are IP based
Source: 2018 Robocall Investigation Report – Transaction Network Services
TDM/SS7 IP/SIP
POTS
Single Line
PBX
Mobiles
IP-PBX
VoIP
Gateways
GW
Calling Card
POTS Int’l
VoIP
GW
Calling Card
POTS
Int’l
VoIP
Cable ISPs
Wireless
Carriers
Hosted/OTT
VoIP
IP Backbone
Providers
CLEC
ILEC
14. #RSAC
14
STIR SHAKEN Framework Basic Flow
STIR
Authentication
Service
Certificate
Repository
STIR Verification
Service
Signed
INVITE
Originating Service Provider Terminating Service Provider
Bob’s UA Alice’s UA
Domain A Domain B
Source: ATIS, RFC 8224
15. #RSAC
15
SHAKEN Reference Architecture
Logical view based on 3GPP IMS architecture
Source: ATIS1000074, ATIS0300116
Certificate
Provisioning
Authority
SKS
STI - AS
CSCF
SIP UA
IBCF/
TrGW
STI-CR
CVT
STI - VS
CSCF
SIP UA
IBCF/
TrGW
Service Provider A
Originating/Authorization
Service Provider B
Terminating/Verification
HTTPS
HTTPS
HTTPS
SIP
SIP
SIP
SIP SIP
SIP
SIP
RTP
RTP RTP
CERTIFICATE REPOSITORY
VERIFICATION
SERVER
CALL
VALIDATION
TREATMENT
AUTHENTICATION
SERVER
SECURE
KEY
STORE
USER AGENT USER AGENT
CALL SESSION CONTROL FUNCTION
INTERCONNECTION BORDER
CONTROL FUNCTION
16. #RSAC
16
SHAKEN Reference Call Flow
Logical view based on 3GPP IMS Architecture
Source: ATIS 1000074, ATIS0300116
Certificate
Provisioning
Authority
SKS
STI - AS
CSCF
SIP UA
IBCF/
TrGW
STI-CR
STI - VS
CSCF
SIP UA
IBCF/
TrGW
Service Provider A
Originating/Authorization
Service Provider B
Terminating/Verification
HTTPS
1 SIP
RTP
RTP RTP
2
3
4
5 6 7
8
9
12
CVT
10
11
21. #RSAC
Infrastructure
21
Private or Public Cloud Deployments
Physical Appliances
Availability: Scalability, Resiliency, Redundancy
1
Is it a bird? plane? or cocktail?
22. #RSAC
Data Sensitivity
22
Top Secret PII Public
Non-Public
• Private Keys • Customer Identifiers
• Customer Name
• Customer Address
• IP Address
• Infrastructure Specs
• System Config info
• Public Keys
2
23. #RSAC
Security Zone
23
Control Plane
Access &
Identity
Encryption at
Rest + Transit
Monitoring
SKS
SIP UA
STI -CR
STI -AS
STI -VS
CSCF
CVT
Restricted
Trusted
DMZ
Untrusted
SIP UA
Service Providers
SKS
STI -AS
CSCF
CVT
STI -CR STI -VS
3
Zero Trust
25. #RSAC
Protocols: SIP, RTP
25
Unauthorized Eavesdropping
MiTM
Call manipulation
Encrypt the control plane
Encrypt Real Time media transmission
Refer Reference Architecture to note SIP/RTP flows
4
SIP
Client
RTP
Audio/Video Streaming
SRTP
SIP Server
Token
SIP
Client
Reference: RFC 3261, RFC 3550
26. #RSAC
SHAKEN Certificate Management Architecture (I)
26
Service Provider
(KMS)
STI-CA
Generate public/
private key pair
Create Certificate
Signing Request (CSR)
Create
Certificate
CA Public Key Certificate
Generate Token(JWT) signed
with SP Private Key & SIP INVITE
Verify Identity
SP Public Key CSR,
SP code token
The set of telephone
numbers for which a
particular certificate is
valid is expressed in
the certificate
STI-PA
STI-PA maintains a
current list of all
authorized
certificate issuers
5
Source: Based on ATIS-1000080, ATIS-1000084
27. #RSAC
Note Worthy Cert Specs for STIR SHAKEN Framework
27
• Validation that message
is signed by Trusted
Root CA is crucial
• Solution may not deal
with CRL or OCSP
• CA charging
model is TBD
• STIR SHAKEN
Certificates are
short-lived
• Every call is not
necessarily
uniquely signed
5
28. #RSAC
Tokens – Security Considerations
28
Persona Assertion Tokens
PASSporT
6
Service Provider Code Tokens
JSON Web Tokens
(JWT)
29. #RSAC
29
JWTs maybe created without signature
Support for encrypted JWTs is Optional
Base64URL(UTF(JWS Protected Header)).Base64URL(JWS Payload).Base64URL(JWS Signature)
Replay Attacks
Cut-and-paste Attacks
Tokens – Security Considerations
6
Reference: ATIS-1000080, RFC 7519
Exploits
Characteristics
30. #RSAC
30
Cache Considerations
STI -CR STI -VS
Service Provider A
Originating/Authorizing
Service Provider B
Terminating/Verifying
SKS STI -AS
Cache
Cache
IMS
In the US, roundtrip
latency <100ms
Millions of incoming calls
requiring Authentication
IMS
KMS
STI -CA
Cache
7
What happens when a
Verification Service cannot
reach the STI-CR?
When large volumes of
telephone calls need to be
signed by the Authentication
Service at high speed?
Caching of Public Keys (STI-SP CA), Private Keys (?!)
Reference: RFC 7234
31. #RSAC
UE
31
Attestation: Full, Partial, Gateway
‘Verstat’ tel URI parameter support
End to end retention of SIP headers
No SIP header rewrites
Equipment updates for above
**Caller Verified
STIR Identity Support
Intermediaries/Gateways
8 9
32. #RSAC
There is No Silver Bullet. Take a Multilayered Approach.
32
Nomorobo
Hiya
Youmail
STIR SHAKEN
(IP/SIP only)
Voice Experts + Cybersecurity + Every Consumer
+
Industry
33. #RSAC
33
In the Next 30 Days
Consumers
•Find out what voice technology you use?
• What equipment is in place?
E.g.: POTS, IP-PBX, TDM or SIP
Note: Some VoIP applications use proprietary protocols
•What solutions are used to address Robocalling?
•Do you use contact centres?
•What technologies are used there?
•Consider participating in Standards Development:
ATIS, SIP Forum, IP-NNI joint task force, IETFs, other
Enterprises
Service Providers
Equipment vendors
APPLY
34. #RSAC
34
In the Next 60 Days
Consumers Leverage Services available to protect yourself from phone scams.
Enterprises Inquire where your voice experts are with STIR SHAKEN
• Will equipment in your environment need updates?
• Are your suppliers engaged in STIR SHAKEN?
Service Providers Inquire where your voice experts are with STIR SHAKEN
• What kind of solution is being planned?
• Vendor equipment? Inhouse development? Opensource?
• What levels of attestation will you provide?
• How will you present this to customers?
Equipment vendors Inquire with your team where they are with STIR SHAKEN?
• Do equipment features support STIR-SHAKEN?
• Are there upgrades to Infrastructure being planned?
• Gateways, SBCs, UEs
APPLY
35. #RSAC
35
In the Next 90 Days and BEYOND
Consumers • Leverage Services available to protect yourself from phone scams.
• Lookout for signs of deployment of STIR SHAKEN
• Your service provider may require you to opt-in for this feature
• Are there new indicators of call attestation on your callerID display?
Enterprises
• Partner with the voice experts to review security architectures
for STIR SHAKEN
• Share your security expertise for secure implementation of
STIR SHAKEN
Service Providers
Equipment vendors
APPLY
36. #RSAC
Session Objectives
36
Enhance your familiarity with the Robocalling problem and
related voice crimes
Review the STIR SHAKEN Framework
Security Architecture considerations for STIR SHAKEN
37. #RSAC
Shout Out To Women in Cybersecurity
37
Thank You!
CONTACT:
daksha_bhasker@comcast.com
Senior Cybersecurity Architect
Comcast
(215) 280-5216
38. Daksha Bhasker, P.Eng(CIE), MBA, CISM, CISSP, CCSK
Senior Security Architect, Comcast
Daksha has over fifteen years experience in the
telecommunications service provider industry with roles in
both business management and technology development,
accountable for complex solution architectures and security
systems development. Her security work spans carrier scale
voice, video, data and security solutions. Prior to joining
Comcast she worked at Bell Canada developing their cyber
threat intelligence platform, and securing cloud deployments.
Daksha holds an M.S in computer systems engineering from
Irkutsk State Technical University, Russia, and an MBA in
electronic commerce from the University of New Brunswick,
Canada. She has various publications in international security
journals and contributes to security standards development.
She is an advocate for women in cybersecurity.
40. #RSAC
References, Standards, Documents
40
ATIS-1000074, Signature-based Handling of Asserted Information using Tokens (SHAKEN)
ATIS-1000080, Signature-based Handling of Asserted information using toKENs (SHAKEN): Governance Model and Certificate
Management
ATIS-0300251, Codes for Identification of Service Providers for Information Exchange
ATIS-1000084, Technical Report on Operational and Management Considerations for SHAKEN STI Certification Authorities and
Policy Administrators
ATIS-1000081, Technical Report on a Framework for Display of Verified Caller ID
RFC7340, Secure Telephone Identity problem statements and Requirements
RFC8224, Authenticated Identity Management in the Session Initiation Protocol,
RFC8225, Personal Assertion Token (PASSporT),
RFC8226, Secure Telephone Identity Credentials: Certificates,
RFC 3261, SIP: Session Initiation Protocol
Industry Robocall Strike Force Report
Martini Recipes
41. #RSAC
41
•And Yet…
In 2018 the BBB reported that Canadians
lost >$100 million to scams most over
the phone
•Rules for Robocalling
have some differences
In Canada
42. #RSAC
42
SHAKEN Certificate Management Architecture (II)
5
STI-PA STI-CA
SP -KMS STI - CR
SKS
STI - VS
STI - AS
For the Authentication services (STI-AS) to sign calls
they must hold a private key corresponding to
a certificate with authority over the calling number.
HTTPS
ATIS 1000080
Governance
STI-PA is the trust
anchor of the
SHAKEN ecosystem
Some Carriers may
establish own CAs**
HTTPS
HTTPS
Validates the token has
been signed by STI-PA
HTTPS
Service Provider
Code Token
Public Key
Certificate
ACME
List of Valid CAs
45. #RSAC
Limitations
45
Originating
Network
Terminating
Network
Mitigation of
Spoofing
PSTN PSTN No impact
SIP-Domestic SIP-Domestic Significant impact
SIP-Domestic PSTN Potential impact
PSTN SIP-Domestic No impact
SIP-International PSTN No impact
SIP-International SIP-Domestic Little impact
Scope of Impact
SIP only scope
International calls will have low
attestation
Testing is underway
Differences in US/Canadian CNAM
operations may cause interop issues.
Solutions itself continues to be developed and evolved
46. #RSAC
Shout Out To Women in Cybersecurity
46
A stunning exhibit at the Barnes Foundation in Philadelphia
HAPPY INTERNATIONAL WOMEN’s
DAY!