[conspire] Fixing (maybe? somewhat?) the "Caller-ID lying" problem

Rick Moen rick at linuxmafia.com
Wed Nov 24 14:03:53 PST 2021 

Annoying robocallers and scammers using the worldwide telephone network 
are an old problem, but the ascendancy of VoIP (voice over IP) as
mass-market technology over the past thirty years worsened the problem
because it made spoofing Caller-ID a trivial task even for
knuckle-dragging boiler-room spammers driving MS-Windows boxes using
mass-market Make a Fortune as a Spammer software -- because of a quirk
in the broader populace's thinking: 

Starting soon after Caller-ID's
(https://www.melabs.com/resources/callerid.htm,
http://tapiex.com/help/faqcallerid.htm) debut in 1992, people
started assuming what their telephones' little LCD displays showed them
about the claimed call's originating telephone number and associated
caller name was the truth.

And it basically isn't.  Not reliably.

The Caller-ID technical standard is a hodgepodge of arrangements among
carriers, many of them charging money for name-database lookups, which
is why mobile phone callers' calls sometimes appear as "WIRELESS
CALLER", or as the location where the phone number is registered.  And
VoIP tore the already terrible reliability of the Caller-ID informtion
into shreds starting on a serious scale around 2004, because, as the
Wikipedia article about VoIP says:

  Voice over IP protocols and equipment provide caller ID support that
  is compatible the PSTN.  Many VoIP service providers also allow
  callers to configure custom caller ID information.

"Configure custom caller ID information".  I like that.  Delicately
stated.  In other words, the computer-based user (or software bot)
originating the VoIP call is completely free to lie and make the claimed
calling number and associated name/location label become anything at all.  
http://voipsa.org/blog/2006/09/29/hello-mom-im-a-fake/
https://en.wikipedia.org/wiki/Caller_ID_spoofing

I've spent decades, on and off, trying to get folks to understand the
implications, e.g., that "blocking the spammer's number" is just shooting
at your own feet, because that wasn't the spammer's telephone number,
but rather an innocent third party's (or nobody's).   


Well, something to help is now being rolled out in at least the United
States and Canada, in the form of a pair of protocols with cutesy Ian
Fleming-inspired names:

o  STIR (Secure Telephony Identity Revisited) adds a digital certificate to
   the Session Initiation Protocol (SIP) information used to initiate and 
   route calls in VoIP systems.  Defined in:

   RFC 8224 - Authenticated Identity Management in the Session Initiation
   Protocol (SIP)
   RFC 8225 - PASSporT: Personal Assertion Token
   RFC 8226 - Secure Telephone Identity Credentials: Certificates

o  SHAKEN (Signature-based Handling of Asserted information using toKENs)
   is a suite of guidelines for public switched telephone networks that
   indicate how to deal with calls that have incorrect or missing STIR
   information.  Defined in:

   RFC 8588 - Personal Assertion Token (PaSSporT) Extension for
   Signature-based Handling of Asserted information using toKENs (SHAKEN)

https://en.wikipedia.org/wiki/STIR/SHAKEN

The STIR crypto headers allow endpoints along the system to
positively identify call origin, and decide wheter to trust the 
claimed Caller ID.  Being buzzword-compliant, this involves passing
around a JSON Web Token with the Caller ID claim and attestations.
It's a web-of-trust crypto system -- except, depressingly, 
Certificate Authorities (CAs) are involved.
https://transnexus.com/whitepapers/stir-shaken-cms-solutions/

According to the Wikipedia articles, the details of SHAKEN are a bit
more fluid and recent. 

Anyhow, FCC has been leaning on aall US telcos to implement STIR/SHAKEN,
the latest of the oft-rescheduled deadlines being Nov. 30, 2021.
Canada's CRTC has had a similar record with Canadian carriers.

It remains to be seen how well all of this will work in the real world.
The experience of rogue/corrupt/criminal/incompetent CAs for the Web 
and related Internet protocols is not reassuring.   

In the meantime, remember the general rule, that Caller-ID can and will
lie fluently whenever convenient for a VoIP originator.

More information about the conspire mailing list