STIR/SHAKEN Thoughts

Posted . ~3min read.

This isn’t a discussion on “what is STIR/SHAKEN”… for that I refer you to Wikipedia, Transnexus, the FCC, and google.

Today, I wish to waste your time with my thoughts regarding STIR/SHAKEN being a ridiculous waste of time and effort.

STIR/SHAKEN Does Not Stop Bad Calls

Companies such as Nextiva, Ribbon, Bandwidth, and others love to tout how STIR/SHAKEN will combat robocalls.

...mitigate unwanted robocalls and prevents bad actors from using Caller ID spoofing

Spoiler Alert: It doesn’t.

At it’s best, STIR/SHAKEN requires carriers to attest to the validity of a sender of a call. In layman’s terms the three attestation levels are:

  • A - Carrier says “Hey, I know this guy. He’s a friend of ours.
  • B - Carrier says “I know this guy… but something’s different. He’s not usually on this side of town.”
  • C - Carrier says “I got this for you. I don’t know nothing about it.”

So, in theory, if you get a call with “A” level attestation, you should feel really happy and excited. That would be great if there was any reason to believe that carriers actually know who made the call.

Swatting and such

I’ve been very lucky to review a decent amount of call data from school shooting threats, swatting calls, and similar misuse of the phone system (see more).

In reviewing the data, I noticed that a lot of the calls had arrived with A level attestation; yet the carriers had no idea who made the call.

One example of such a carrier was TextNow; which had been used to make incredible amount of these calls. To see how easy it would be to do such a call, I used TOR to make a google account with the name of a famous criminal. I then (still using TOR) created a TextNow account with the freshly made google account. The last step was to then make a call (no credit card needed) to a reporter’s cellular number.

That call was sent with A level attestation.

DKIM

To me, STIR/SHAKEN is similar to DKIM; attempting to reduce the forged email/phone numbers of the sender. And, more than 10 years later, DKIM has done little (if anything) to reduce spam. I get a ton of spam from gmail and the repructions to google are… nothing.

Hassle

Besides the costs of implementing STIR/SHAKEN (through a service provider or paying for your own, official certificate), the hassle of implementation is quite high. The increase to the SIP message size is ridiculous, and should you want to verify such certificates/signatures… you now required multiple transactions.

For what benefit?

The PSTN is ultimately insecure. Your calls will not be encrypted end-to-end, your call will touch many hands, and you can’t put all your faith into the call being from who you think it is.

The PSTN has it’s purpose, and I love working with PSTN– don’t get me wrong. But, it’s not going to be made more secure or reliable by STIR/SHAKEN.

Of Interest

Speaking of PSTN… this video posted by Veritasium was fascinating…