STIR/SHAKEN: everything you need to know

The name “STIR/SHAKEN” refers to a set of protocols and procedures designed to fight caller ID spooffing. On March 31st, the Federal Communications Commission(FCC) of the United States voted in favor of the implementation of these rules.

What is spoofing?

Spoofing means faking the identity of a website, a phone number or any other digital identifier (email, IP address…). This practice is made easy by the lack of authentication systems in the set of application protocols coming from the IP layer.

Why spoof a digital ID?

Spoofing can be used to steal sensitive information by pretending to be an authority or a trusted figure (by replicating a bank’s website, for example). But this practice is not always fraudulent, it can also allow to keep the anonymity of a person or a company.

Regarding telephony, this technique is mainly used by cold callers (telemarketers).

Combined with a tool that automates calls (robocaller), it forms the perfect combination for automated mass prospecting. By using a spoofed phone number, these unscrupulous companies ensure that they will not be called back.

Many U.S. companies outsource these telemarketing tasks to foreign contractors, most often in India. To increase their response rate, these companies hide behind American phone numbers.

The STIR/SHAKEN procedures have been developed to address this problem. The Federal Communications Commission has decided that the STIR/SHAKEN procedures should be implemented by June 2021 in the United States and September 2020 in Canada.

How does the STIR/SHAKEN works?

STIR/SHAKEN is based on two sets of rules with a common objective: to build a system of digital certificates issued by certification authorities.

STIR for Secure Telephony Identity Revisited proposes a “grade” (A, B or C) indicating the security level of the calling number. This grade will appear alongside the number displayed on the receiving phone. It will be the responsibility of the telecom service provider to deliver this grade: by crossing pre-established lists of numbers. The STIR system is based on a chain of trust: each operator becomes a certification authority validated by the others. The telephone numbers will then be assigned these notes or digital certificates as it is already the case for websites whose identity is verified and confirmed by the Certificate Authorities. The difference is in the rating system, websites are either verified or not verified, for phone numbers it will be an indicative grade:

-Grade A, the highest level of verification, designates a number whose identity is perfectly recognized by the operator: it has been able to identify the legal entity owning this number and the person attached to the telephone extension.

To obtain this grade, a company (this clause applies mainly to call-centers) will have to make public a number where it can be called back.

-Grade B, meaning a partial verification, the operator and the customer are known but the identity of the person attached to the extension cannot be verified.

-Grade C indicates that the call is from a known operator, but no information on the identity of the caller could be verified.

SHAKEN for Signature-based Handling of Asserted information using toKENs is the alternative for non-VoIP phones that cannot decrypt and display the authentication certificate. SHAKEN is also planned for the early days of STIR when end-to-end verification will not be possible: not all operators will adopt the system at once, but it is necessary that minimal information about the call is transmitted.

STIR/SHAKEN implementation : a challenge for service-providers

The implementation of the STIR/SHAKEN procedures constitutes a challenge for the operators. The attribution of these scores is a great responsibility and implies that the call management procedures be reworked.

The correct application of the system relies on the synergistic capacity of the different operators: the implementation of this chain of trust can only be done if all operators are able to evaluate each number. Once the procedure is adopted and mastered by a majority of operators, latecomers could see their communications fail: without prior transmission of a certificate, a third party operator will be able to refuse to pass SIP packets via its server. In France, voice spam or ping calls are getting the attention of the authorities. These one second calls from foreign codes try to “phish” the recipient to call back, the calling number then turns out to be a premium rate number. The practice is becoming more and more insidious by hiding the premium rate number behind a classic number such as 01, 02, 06. It is therefore highly likely that the STIR/SHAKEN procedures will inspire Europe in the near future.

homme au téléphone

Protect your communications

Diskyver is a telephone anomaly detection system, it monitors your telephone infrastructure for malicious activities.

Learn more button

Discover our last articles

What is SIPVicious ? The ultimate VoIP pentest tool

In cybersecurity the border between ethical hacking and regular hacking is often thin. SIPVicious is a perfect example of this phenomenon : made for security professionals, it is also widely used by criminals to identify and exploit SIP networks vulnerabilities. Let's...

Asterisk installation : guide and purchase tips

Which asterisk installation alternative for your virtual IPBX ? Before starting your search for an IPBX solution, you need to define your company's needs. Take your current configuration as a reference and establish requirements: in a numerical way (number of lines,...

Session Border Controller: why your enterprise need it (SBC)

The Session Border Controller is an indispensable part of any telephony infrastructure, it is the gatekeeper. Like a security guard, it controls the network entrances. It is important that its capacities are adapted to the type of flow to be managed.  What is a...

4 tips to set up a user friendly IVR

"At the end of your message, if you want to change it, type pound ... " Beep!  If you hear these words and feel a mixture of frustration and anxiety, you are a normal human being. However, this is the most famous interactive voice server in the world: the...

What is Wireshark and how to use it

What is Wireshark ? Wireshark is a network packet analyzer. It capture network packets and display this data through a graphical user interface. It is a free and open-source tool. Cybersecurity professionals are using Wireshark to troubleshoot networks. With this tool...

TDoS attack : How to protect yourself

Companies are targeted by a wide variety of cyber threats, including TDoS attack. This type of attack consists of flooding the targeted company's telephone servers with requests and then demanding a ransom in exchange for restoring the servers back to service. The...
WordPress Cookie Plugin by Real Cookie Banner