SESSION ID: STR-F01

STIR SHAKE’N SIP to Stop Robocalling

Daksha Bhasker
Senior Security Architect
Comcast NBC Universal
#RSAC
 #RSAC

We’ve all been to the Islands

…For Free
 Where Are We At in the US?
#RSAC

Source: Robocall Index by Youmail

Americans lost an estimated $9.5B in Phone scams in 2017

- Harris Poll/ Truecaller survey -
Source: https://blog.truecaller.com/2017/04/19/truecaller-us-spam-report-2017/
Youmail: https://robocallindex.com/
4
 #RSAC

Caller ID Spoofing Robocalling

E.T. Phone Home

Not All Calls Are Equal

5
 #RSAC

What Makes Spam Easier to Stop?

E-mail Spam Illegal Robocalls

6
 #RSAC

What’s in it for (Illegal) Robocallers?

Payments from hire-a- $$$ scammed from victims Micropayments per

Robocall Service Robocall

7
 #RSAC

Robocallers make money

even when calls are not
answered.

Source: WSJ: Why Robocallers Win Even if You Don’t Answer 8

 Impacts Are Felt
#RSAC

Citizens/Consumers

Businesses
SP Networks
9
 #RSAC

Business Case for Addressing the Issues

Global VoIP market to grow to $190B by 2024

TDM inching towards EOL
Robocall and scams are one-third of all calls

10
2. One Cold STIR SHAKEN Framework Please
 #RSAC

STIR SHAKEN

Secure Signature-based
Telephone Handling of
Identity Asserted
Revisited information using
toKENs

STIR SHAKEN Authenticates Calls that Traverse SIP Networks

Industry
IETF 3GPP TSPs ATIS SIP Forum Regulators Int’l Partners Others

12
 #RSAC

Phone Technologies
Mobiles ILEC
POTS IP-PBX
Single Line
Cable ISPs
Calling Card

VoIP Gateways IP/SIP Wireless

GW TDM/SS7
VoIP Carriers

POTS GW Hosted/OTT
VoIP
Int’l
PBX VoIP IP Backbone
Calling Card
Providers

Scope of STIR SHAKEN: IP/SIP calls POTS Int’l CLEC

50% of suspect illegal Robocalls are IP based

Source: 2018 Robocall Investigation Report – Transaction Network Services

13
 #RSAC

STIR SHAKEN Framework Basic Flow

STIR Signed
STIR Verification
Authentication
Service
Service INVITE

Certificate
Repository

Bob’s UA Alice’s UA
Domain A Domain B

Originating Service Provider Terminating Service Provider

Source: ATIS, RFC 8224
14
 #RSAC

SHAKEN Reference Architecture

Certificate
CERTIFICATE REPOSITORY
HTTPS
Provisioning STI-CR CALL
Authority
VALIDATION
AUTHENTICATION VERIFICATION
SECURE TREATMENT
SERVER SERVER
KEY STI - AS
HTTPS
STI - VS CVT
HTTPS
STORE
SKS SIP SIP
CALL SESSION CONTROL FUNCTION
CSCF CSCF
SIP SIP SIP SIP
SIP
IBCF/ IBCF/
SIP UA TrGW SIP UA
TrGW RTP
USER AGENT RTP RTP USER AGENT
Service Provider A INTERCONNECTIONService
BORDER Provider B
Originating/Authorization CONTROL FUNCTION
Terminating/Verification

Logical view based on 3GPP IMS architecture

Source: ATIS1000074, ATIS0300116 15
SHAKEN Reference Call Flow
#RSAC

Certificate
HTTPS
Provisioning STI-CR
Authority
9

10
STI - AS STI - VS CVT
3
2 4 8 11
SKS
CSCF 6 CSCF
5 7 12
1 SIP
IBCF/ IBCF/
SIP UA TrGW SIP UA
TrGW RTP
RTP RTP
Service Provider A Service Provider B
Originating/Authorization Terminating/Verification
Logical view based on 3GPP IMS Architecture
Source: ATIS 1000074, ATIS0300116 16
 #RSAC

Attestation Levels
Gateway Partial Full
Signing Provider

Signing Provider

Signing Provider
Has no relationship Can authenticate Has direct
with the initiator of the customer and authenticated
the call has NOT verified relationship with
e.g. International association with the customer and has
Gateway TN being used verified the TN
being used

17
3. A STIR & SHAKEN Mixer

Security Architecture Appetizers

 #RSAC

Voice Attacks

Vishing TN Impersonation

Invalid Unallocated Voicemail Hacking

Numbers

Security Professionals
are here to help
SPIT Swatting

Reference: RFC 8226, 7340 19

 Security Architecture Considerations
#RSAC

1 Infrastructure
5 6
2 Data Sensitivity

3 Security Zone
7 7
4 Protocols

5 SHAKEN Cert framework

9 6 Tokens
4 6
8 8 7 Caches

8 GWs and UAs

9 Key Management

1 2 3 10 10 Privacy

20
 #RSAC

1 Infrastructure
Is it a bird? plane? or cocktail?

Physical Appliances Private or Public Cloud Deployments

Availability: Scalability, Resiliency, Redundancy

21
 #RSAC

2 Data Sensitivity

Top Secret PII Non-Public Public

• Private Keys • Customer Identifiers • Infrastructure Specs • Public Keys

• Customer Name • System Config info
• Customer Address
• IP Address

22
 #RSAC
3
Security Zone Zero Trust
Untrusted Service Providers
Control Plane
DMZ Access & Encryption at
SIP UA Monitoring
Identity Rest + Transit

Trusted STI -CR SIP UA

STI -AS STI -AS STI -CR STI -VS

CVT
Restricted
STI -VS
CVT SKS CSCF
SKS
CSCF

23
 #RSAC

4 Protocols

Signaling Media WWW Management

SIP RTP http SNMP

Over UDP OR TCP?

24
 #RSAC

4 Protocols: SIP, RTP SIP Server

Token

RTP
SIP SIP
Client Audio/Video Streaming Client
SRTP

Unauthorized Eavesdropping
Encrypt the control plane
MiTM
Encrypt Real Time media transmission
Call manipulation
Refer Reference Architecture to note SIP/RTP flows
Reference: RFC 3261, RFC 3550 25
 SHAKEN Certificate Management Architecture (I)
#RSAC
5
Service Provider STI-PA
STI-CA
(KMS)
STI-PA maintains a
Generate public/ current list of all
private key pair authorized
certificate issuers
Create Certificate SP Public Key CSR,
Signing Request (CSR) SP code token

Verify Identity
The set of telephone
Create numbers for which a
CA Public Key Certificate Certificate particular certificate is
valid is expressed in
the certificate
Generate Token(JWT) signed
with SP Private Key & SIP INVITE

Source: Based on ATIS-1000080, ATIS-1000084 26

 #RSAC

5 Note Worthy Cert Specs for STIR SHAKEN Framework

• Every call is not • STIR SHAKEN • CA charging

necessarily Certificates are model is TBD
uniquely signed short-lived

• Solution may not deal • Validation that message

with CRL or OCSP is signed by Trusted
Root CA is crucial

27
 #RSAC

6 Tokens – Security Considerations

Persona Assertion Tokens
Service Provider Code Tokens
PASSporT
JSON Web Tokens
(JWT)

28
 #RSAC

6 Tokens – Security Considerations

Base64URL(UTF(JWS Protected Header)).Base64URL(JWS Payload).Base64URL(JWS Signature)

Characteristics
JWTs maybe created without signature
Support for encrypted JWTs is Optional
Exploits
Replay Attacks
Cut-and-paste Attacks

Reference: ATIS-1000080, RFC 7519 29

 #RSAC

7 Cache Considerations STI -CA In the US, roundtrip

latency <100ms
What happens when a Cache Cache
Verification Service cannot KMS STI -CR STI -VS
reach the STI-CR?

SKS STI -AS

When large volumes of
telephone calls need to be
signed by the Authentication
Service at high speed?
Cache
Millions of incoming calls
requiring Authentication
IMS IMS
Service Provider A Service Provider B
Originating/Authorizing Terminating/Verifying

Caching of Public Keys (STI-SP CA), Private Keys (?!)

Reference: RFC 7234 30
 #RSAC

8 Intermediaries/Gateways 9 UE

**Caller Verified
STIR Identity Support

End to end retention of SIP headers Attestation: Full, Partial, Gateway

No SIP header rewrites ‘Verstat’ tel URI parameter support
Equipment updates for above

31
 #RSAC

There is No Silver Bullet. Take a Multilayered Approach.

Nomorobo STIR SHAKEN

Hiya (IP/SIP only)
Youmail

Voice Experts + Cybersecurity + Every Consumer

+
Industry
32
 #RSAC

APPLY
In the Next 30 Days
•Find out what voice technology you use?
Consumers • What equipment is in place?
Enterprises E.g.: POTS, IP-PBX, TDM or SIP
Service Providers Note: Some VoIP applications use proprietary protocols
Equipment vendors •What solutions are used to address Robocalling?
•Do you use contact centres?
•What technologies are used there?
•Consider participating in Standards Development:
ATIS, SIP Forum, IP-NNI joint task force, IETFs, other

33
 #RSAC

APPLY In the Next 60 Days

Consumers Leverage Services available to protect yourself from phone scams.

Enterprises Inquire where your voice experts are with STIR SHAKEN
• Will equipment in your environment need updates?
• Are your suppliers engaged in STIR SHAKEN?
Service Providers Inquire where your voice experts are with STIR SHAKEN
• What kind of solution is being planned?
• Vendor equipment? Inhouse development? Opensource?
• What levels of attestation will you provide?
• How will you present this to customers?
Equipment vendors Inquire with your team where they are with STIR SHAKEN?
• Do equipment features support STIR-SHAKEN?
• Are there upgrades to Infrastructure being planned?
• Gateways, SBCs, UEs
34
 #RSAC

APPLY
In the Next 90 Days and BEYOND
Consumers • Leverage Services available to protect yourself from phone scams.
• Lookout for signs of deployment of STIR SHAKEN
• Your service provider may require you to opt-in for this feature
• Are there new indicators of call attestation on your callerID display?

• Partner with the voice experts to review security architectures

Enterprises for STIR SHAKEN
Service Providers
Equipment vendors • Share your security expertise for secure implementation of
STIR SHAKEN

35
 #RSAC

Session Objectives

Enhance your familiarity with the Robocalling problem and

related voice crimes

Review the STIR SHAKEN Framework

Security Architecture considerations for STIR SHAKEN

36
 #RSAC

Thank You!
CONTACT:
daksha_bhasker@comcast.com
Senior Cybersecurity Architect
Comcast
(215) 280-5216

Shout Out To Women in Cybersecurity

37
Daksha Bhasker, P.Eng(CIE), MBA, CISM, CISSP, CCSK
Senior Security Architect, Comcast

Daksha has over fifteen years experience in the

telecommunications service provider industry with roles in
both business management and technology development,
accountable for complex solution architectures and security
systems development. Her security work spans carrier scale
voice, video, data and security solutions. Prior to joining
Comcast she worked at Bell Canada developing their cyber
threat intelligence platform, and securing cloud deployments.
Daksha holds an M.S in computer systems engineering from
Irkutsk State Technical University, Russia, and an MBA in
electronic commerce from the University of New Brunswick,
Canada. She has various publications in international security
journals and contributes to security standards development.
She is an advocate for women in cybersecurity.
APPENDIX
References, Standards, Documents
#RSAC

ATIS-1000074, Signature-based Handling of Asserted Information using Tokens (SHAKEN)

ATIS-1000080, Signature-based Handling of Asserted information using toKENs (SHAKEN): Governance Model and Certificate
Management
ATIS-0300251, Codes for Identification of Service Providers for Information Exchange
ATIS-1000084, Technical Report on Operational and Management Considerations for SHAKEN STI Certification Authorities and
Policy Administrators
ATIS-1000081, Technical Report on a Framework for Display of Verified Caller ID
RFC7340, Secure Telephone Identity problem statements and Requirements
RFC8224, Authenticated Identity Management in the Session Initiation Protocol,
RFC8225, Personal Assertion Token (PASSporT),
RFC8226, Secure Telephone Identity Credentials: Certificates,
RFC 3261, SIP: Session Initiation Protocol
Industry Robocall Strike Force Report
Martini Recipes

40
 #RSAC

In Canada
• And Yet…

• Rules for Robocalling In 2018 the BBB reported that Canadians

have some differences lost >$100 million to scams most over
the phone

41
 #RSAC

5 SHAKEN Certificate Management Architecture (II)

Validates the token has
been signed by STI-PA
Some Carriers may
establish own CAs**
Governance STI-PA
HTTPS
STI-CA
STI-PA is the trust
anchor of the Service Provider
SHAKEN ecosystem Code Token ACME

Public Key
SP -KMS Certificate STI - CR

SKS HTTPS HTTPS

HTTPS STI - AS STI - VS

List of Valid CAs

For the Authentication services (STI-AS) to sign calls

they must hold a private key corresponding to
a certificate with authority over the calling number.
ATIS 1000080 42
 #RSAC

9 Secure Key Store (SKS)

Envelope Encryption Key Vault HSM

43
 #RSAC

10
Privacy Considerations

Telephone Numbers Phone Directory

CNAM Yellow Pages

Data Custodians and Data Owners have different

responsibilities and privileges

44
 #RSAC

Limitations
Scope of Impact
Originating Terminating Mitigation of SIP only scope
Network Network Spoofing International calls will have low
PSTN PSTN No impact attestation
SIP-Domestic SIP-Domestic Significant impact
Testing is underway
SIP-Domestic PSTN Potential impact
PSTN SIP-Domestic No impact Differences in US/Canadian CNAM
operations may cause interop issues.
SIP-International PSTN No impact
SIP-International SIP-Domestic Little impact

Solutions itself continues to be developed and evolved

45
Shout Out To Women in Cybersecurity #RSAC

HAPPY INTERNATIONAL WOMEN’s

DAY!

A stunning exhibit at the Barnes Foundation in Philadelphia

46