Winchester, VA: March 16, 2019 — According to YouMail Robocall Index, nearly 48 Billion Robocalls Made in 2018. This annoyance to both consumer and commercial users of the new IP enabled Public Switch Telephone Network (PSTN) is only going to get worse as bot technology gets more integrated with Voice over IP (VoIP) networks. Fortunately, under the leadership of both the SIP Forum and the United States Federal Communications Commission (FCC), there are the beginnings of a means of combatting these nuisance calls. This new technology is known as Secure Telephony Identity Revisited (STIR) and Secure Handling of Asserted information using toKENs (SHAKEN).
STIR/SHAKEN uses public key cryptography (PKI) digital certificates to authenticate callers on the VoIP enabled PSTN. How this will ultimately be deployed on commercial networks is still being worked through by both the FCC and United States based telecommunications companies like AT&T and Comcast. In simple terms, each customer of a telephone network would be issued a “digital certificate” that would be installed on their end station device (i.e. mobile phone, IP-PBX, etc.) and calls oringated by that device would undergo an authentication challenge from a trusted digital certificate authentication authority. If your call attempt is coming from an authenticated end device, the distant end device being called would be informed that the call coming in is from an authenticated user. This would reduce the number of “spoofed” numbers being flooded over the VoIP PSTN today by a significant margin.
So how is number spoofing even possible? The answer lies in the foundation of current “defacto” standard for VoIP…Session Initiation Protocol (SIP). While the legacy telephone network depended on the ten-digit telephone number to locate a caller’s location, and which telephone switch they were associated with, SIP only use these legacy ten-digit numbers for the human interface convenience supporting a generation of users that don’t like change. Call routing is actually accomplished much like email traffic. Each user is provided a SIP identifier, which looks a lot like an email address (i.e. firstname.lastname@example.org). SIP calls are processed when a caller sends an “INVITE” to a distant end, and that distant end “answers” resulting in a media session being established between the two endpoints. To accommodate conservative consumers who don’t like change, their identifier could look like email@example.com. This allows ten digit numbers to be dialed to initiate a call instead of entering an “email” like address for originating a call. As you can see, anyone can spoof a ten-digit number as it can be associated with any number of domains (i.e. firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, etc.).
The current method many pop-up vendors are selling for addressing robocalls is by blocking ten-digit telephone numbers from “known” numbers associated with robo-callers. Considering software can be written to generate telephone numbers by the thousands in seconds and get these sent out over the internet tied to a variety of domains, no binary blocking technique will ever keep-up. You might as well be bailing out a canoe with a toothpick!
With the introduction of digital signatures, callers will now have to be verified using a well proven encryption methodology that is kept trusted by a certificate authority. Certificates can only be issued by this authority, and they cannot be “spoofed”. I’m happy to see the telecommunications industry embracing this exciting new technology and operationalizing it into their products and public/private telecommunications networks.