Root Causes 31: Using PKI to Authenticate Phone Callers

Episode Transcript

Lightly edited for flow and brevity.

• 

  Tim Callan

  We want to talk today about caller ID phone number spoofing and what can be done about it.

• 

  Jason Soroko

  Directories of people, either white listing or black listing, haven’t worked here.

• 

  Tim Callan

  The basic trouble is that phone numbers are self-reported. So, in this sense there a lot of like other things that we’ve talked about, like From email addresses being fundamentally self-reported. It’s basically the same problem. So I can get a phish email, and it says that it’s from my bank or from my boss at work, and it looks exactly the same as a real email really would because the From address is completely and utterly configurable to be anything you want.

  The same thing is true for a caller ID phone number. A lot of people don’t know this but when you get those irritating robocalls on your cell phone, you might hit “block this caller,” but that’s of no consequence because what you’re blocking self-reported caller ID phone number and since that’s just being spoofed anyways that’s just made up, the next time you get that robocall from the same robocaller, it’s just going to be a different number.

• 

  Jason Soroko

  In other words, you don’t really know the origin of who’s calling you. That’s just the way it works.

• 

  Tim Callan

  The offline equivalent would be if we just said who we were. So if I walked in to some place of business and said, “Hey guess what? I'm the owner of this business. Give me all the stuff,” and everybody said, “Oh ok.” That’s more or less what it is. It’s self-reported. There’s no teeth. There’s nothing at all.

  Now compare that to other digital systems. You and I have talked in the past about the need for certificates to provide strong identity in, let’s say, a DevOps environment because we have to know that every single task is real and every single container is real. And now compare that to our world of telephony where they’re just saying who they are.

• 

  Jason Soroko

  There are so many other problems in a general sense that are like this. From the IoT standpoint critical infrastructure is an example, in a plant or whatever. All kinds of these things are going to have an IP address of some kind. They’re on the network. But what is this thing? This thing is declaring that it is a controller unit of some kind. Well I might just trust it if it says that. But ultimately trusting just the basic addressing that can be self-reported is tough to swallow. And we now know that in all kinds of systems this doesn’t work. And even amongst human beings using the telephone there must be a better way to actually identify who someone is.

• 

  Tim Callan

  That way of course is PKI, right? If you look at in an IoT environment, if you want to get around potential attacks, part of the way to do it is to make sure that the devices all have unique certificates and that way something can’t go in and report false information and cause the network to work poorly or report that it’s someone it isn’t to harvest data it’s not supposed to have. In the public facing server world we have TLS certificates that indicate who they are so I can’t go and pretend to be an agent that I'm not and get information or give commands or cause things to happen that shouldn’t.

  In the phone world, the FCC just recently held a summit for something that’s called SHAKEN/STIR (Signature-based Handling of Asserted Information Using toKENs and Secure Telephone Identity Revisited). This group was talking about using PKI and key-based identity in the telephony system to ensure that those caller ID numbers are accurate. Basically we’re seeing the real number that that caller really has inside of the phone system.

• 

  Jason Soroko

  It’s an interesting proposal. I would personally love this thing to be pushed further.

  I know that, after years of working, GSMA-type consortium standards that we’ve seen over the years, PKI has been brought to bear on a lot of it. Other choices have been made in the past, typically for devices connecting to a network. But this gets to the heart of who’s calling me.

  Using PKI to solve that, I think that the solution that I’ve looked at on the surface seems reasonable. Whether or not a carrier or someone might be, might actually take this on, I'm not sure what kind of consortiums and standards and things that have to be completely baked out, but I think that the proposal definitely makes sense. For this SHAKEN/STIR framework, it’s going to be interesting to see whether or not somebody picks it up and carries it forward into an actual operational format. What this will look like in operation versus just the proposed framework might be a different story. But let’s take a look at what the SHAKEN and STIR actually stand for.

• 

  Tim Callan

  Okay.

• 

  Jason Soroko

  SHAKEN is Signature-based Handling of Asserted Information Using toKENs. And stir is Secure Telephone Identity Revisited.

• 

  Tim Callan

  A couple words there. Identity. Token.

• 

  Jason Soroko

  Assertion.

• 

  Tim Callan

  Think of this as applying a PKI standard to your phone. I think this is badly needed. So I believe a couple things. One is that if you’re not really steeped in the industry, nobody realizes that this isn’t the case. Like I think if you think about there’s a call coming in on my cell phone and I see the number and it says it’s coming from this number, that must be true. How could that conceivably not be accurate, right?

• 

  Jason Soroko

  Yeah right.

• 

  Tim Callan

  And if they realize that your phone is piping through a number that the other side is just saying, “Hi, this is my number,” that that would be very much a gee whizmoment for most ordinary, lay people. But the second thing I believe is that this is a very serious problem. The number of robocalls I get, and you know there’s some woman who wants to speak Mandarin to me that I get that a lot and lately I'm - -

• 

  Jason Soroko

  I get that.

• 

  Tim Callan

  I'm getting the one that says that my Social Security Number has been suspended. You’re not getting that, obviously.

• 

  Jason Soroko

  No.

• 

  Tim Callan

  Because you don’t have a Social Security Number. But it’s a funny concept. What does that mean suspended? How could your Social Security Number be suspended?

  But you know this is a problem. I know a lot of people – and I'm one of them – I do not answer my telephone if I do not recognize that number because it’s just going to be a waste of my time. And what’s the cost of this in terms of human productivity? And what’s the cost of this in terms of our being able to communicate with each other effectively? And then ultimately these robocalls wouldn’t be running if they weren’t economical feasible which means that somebody’s being cheated out of their money. So what’s the cost of that?

• 

  Jason Soroko

  Tim, I can’t help but think the people who are going to be the most vulnerable to the robocalls are ultimately people who don’t have that level of sophistication.

• 

  Tim Callan

  Yes, absolutely.

• 

  Jason Soroko

  You know they might come from a different generation where they’re more trusting or they just operate differently. Or what the heck? You know if the telephone rings, you just pick it up. That’s just the way you operate for a lot of people, and I think it’s unfortunate for those of us who have stopped answering our phones for the reason you just said. I just had a call this morning, literally two hours ago. I was trying to place a call but I was placing it through a service because it was a long-distance number. That person on the other end, even though we had timed the meeting to an exact minute, I called on the exact minute, would not answer the phone because it looked like it was coming from a telemarketer.

  And so, I ended up getting a text message saying, “Hey is that you?” Isn’t it interesting? But the solutions for this do exist and I think that the SHAKEN/STIR framework that’s being presented here is completely reasonable. It’s just I would like to talk to the carriers and others who would have to implement this. What does this look like in reality?

• 

  Tim Callan

  And this again, goes back to some of the things we’ve talked about before. We’ve talked about how hard it is to swap out the cryptographic system behind our current digital systems in order to be quantum resistant. I think this is a similar thing. If you probably got way down in the weeds with the telephone carriers you would have a nice detailed conversation about what’s required to make this reality, and it probably proves to be quite non-trivial.

• 

  Jason Soroko

  Well problems such as SIM swapping have been out a long time. They’ve not solved it yet. Problems around how do you assure that a device itself is connecting to a network where it belongs? GSMA wrestles with this all the time. They obviously have all kinds of their own frameworks and standards. The problem is they’re still working on newer ones, and then with 5G, geez all kinds of other questions about identity especially when the concept of time changes.

  You know the concept of splitting workload into various virtual units. Security just becomes more and more and more of a head scratcher, but solving the fundamental problem of who the heck is calling me, that’s all we’re talking about right now, and at least there’s something in front of us that looks reasonable.

• 

  Tim Callan

  I would love to see this be reality. You know, if we can all collectively solve the email From address problem, which obviously S/MIME certificates can be part of, and if we can solve the false telephone identity problem, then the average person’s ability to communicate without feeling like they’re in jeopardy of being conned goes up considerably. There’s a big societal gain to be had there. I hope this goes some place. I hope this has legs because this is a problem that we all really need to solve.

• 

  Jason Soroko

  Yeah, it’s a big problem. I mean the telephone, just like emails not going anywhere, the telephone is not going anywhere either.