SITR/SHAKEN implementation in effect today (June 30 2021)
Michael Thomas
mike at mtcc.com
Fri Jul 2 17:23:43 UTC 2021
People who are actually interested in this subject are well advised to
read this thoroughly because it equally applies to SIP spam with a
system far less complex and far fewer gaping security holes as STIR.
https://www.usenix.org/system/files/conference/usenixsecurity18/sec18-hu.pdf
Mike
On 7/2/21 8:54 AM, Paul Timmins wrote:
>
> Fun part is that just because it's a telnyx number with a checkmark,
> it doesn't mean the call came from Telnyx, just that the call came
> from a carrier that gave the call attestation A. As the carrier, we
> can see who signed the call (it's an x509 certificate, signed by the
> STI-PA, with the carrier's name and OCN in it) and hold them
> accountable for the traffic, which is huge.
>
> But that's where the confusion will lie - a customer might say well
> this is a verizon wireless number, i'll yell at them! But the actual
> call came in through Lumen, and they're the ones who can stop it. A
> carrier can see the cert, but you can just get the verstat flag from
> the P-Asserted-Identity field in the call to the handset and see that
> it passed the tests for attestation A.
>
> Just because you don't see a checkmark doesn't mean signatures aren't
> happening. Attestation B and C aren't displayed on the handset (but
> are seen in the carrier's systems) and most androids don't have a way
> to display stir/shaken stuff yet. T-Mobile doesn't send the verstat
> header to handsets they don't verify as s/s compliant (usually only
> ones they sell). My trick was to sim swap into an iphone for a day,
> then back to my android which started displaying the verification
> after that.
>
> It's all new, but just because you don't see it doesn't mean it's not
> there. Report the calls to your carrier, they have new tools to track
> down the misbehavior.
>
> On 7/2/21 8:32 AM, Nick Olsen wrote:
>> Not all have implemented it yet. But if you haven't. You were
>> supposed to implement some kind of robo calling mitigation plan (Or
>> atleast certify that you have one). At $dayjob we're fully deployed
>> (inbound and outbound).
>>
>> I received my first ever STIR/SHAKEN signed (iPhone Check mark,
>> highly scientific) spam call on my personal Cell phone on 6/30. It
>> was a Telnyx number. Had the call terminated to $dayjob network. I
>> fully would have collected all various information and ticketed it
>> with Telnyx.
>>
>> Time will tell how truly effective this is. But we have better
>> originating information now (breadcrumbs) to follow back to the source.
>>
>> On Thu, Jul 1, 2021 at 5:42 PM Andreas Ott <andreas at naund.org
>> <mailto:andreas at naund.org>> wrote:
>>
>>
>>
>> On Thu, Jul 1, 2021 at 12:56 PM Keith Medcalf
>> <kmedcalf at dessus.com <mailto:kmedcalf at dessus.com>> wrote:
>>
>> ... and the end carrier is making money for terminating them.
>>
>>
>> Survey (of n=1) says: nothing has changed, aka the new technology
>> is not working. I just received the same kind of recorded message
>> call of "something something renew auto warranty" on my AT&T
>> u-Verse line. This time when I called back the displayed caller
>> ID number it was ring-no-answer, versus the previous "you have
>> reached a number that is no longer in service". By terminating
>> the call the carrier made probably more money than it would cost
>> them to enforce the new rules.
>>
>> Other than the donotcall.gov <http://donotcall.gov> portal, is
>> there a new way to report the obvious failure of STIR/SHAKEN?
>>
>> -andreas
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20210702/5fe2d97a/attachment.html>
More information about the NANOG
mailing list