People who are actually interested in this subject are well advised to read this thoroughly because it equally applies to SIP spam with a system far less complex and far fewer gaping security holes as STIR.

https://www.usenix.org/system/files/conference/usenixsecurity18/sec18-hu.pdf

Mike

On 7/2/21 8:54 AM, Paul Timmins wrote:

Fun part is that just because it's a telnyx number with a checkmark, it doesn't mean the call came from Telnyx, just that the call came from a carrier that gave the call attestation A. As the carrier, we can see who signed the call (it's an x509 certificate, signed by the STI-PA, with the carrier's name and OCN in it) and hold them accountable for the traffic, which is huge.

But that's where the confusion will lie - a customer might say well this is a verizon wireless number, i'll yell at them! But the actual call came in through Lumen, and they're the ones who can stop it. A carrier can see the cert, but you can just get the verstat flag from the P-Asserted-Identity field in the call to the handset and see that it passed the tests for attestation A.

Just because you don't see a checkmark doesn't mean signatures aren't happening. Attestation B and C aren't displayed on the handset (but are seen in the carrier's systems) and most androids don't have a way to display stir/shaken stuff yet. T-Mobile doesn't send the verstat header to handsets they don't verify as s/s compliant (usually only ones they sell). My trick was to sim swap into an iphone for a day, then back to my android which started displaying the verification after that.

It's all new, but just because you don't see it doesn't mean it's not there. Report the calls to your carrier, they have new tools to track down the misbehavior.

On 7/2/21 8:32 AM, Nick Olsen wrote:
Not all have implemented it yet. But if you haven't. You were supposed to implement some kind of robo calling mitigation plan (Or atleast certify that you have one). At $dayjob we're fully deployed (inbound and outbound).

I received my first ever STIR/SHAKEN signed (iPhone Check mark, highly scientific) spam call on my personal Cell phone on 6/30. It was a Telnyx number. Had the call terminated to $dayjob network. I fully would have collected all various information and ticketed it with Telnyx.

Time will tell how truly effective this is. But we have better originating information now (breadcrumbs) to follow back to the source.

On Thu, Jul 1, 2021 at 5:42 PM Andreas Ott <andreas@naund.org> wrote:


On Thu, Jul 1, 2021 at 12:56 PM Keith Medcalf <kmedcalf@dessus.com> wrote:
... and the end carrier is making money for terminating them. 

Survey (of n=1) says: nothing has changed, aka the new technology is not working. I just received the same kind of recorded message call of "something something renew auto warranty" on my AT&T u-Verse line. This time when I called back the displayed caller ID number it was ring-no-answer, versus the previous "you have reached a number that is no longer in service". By terminating the call the carrier made probably more money than it would cost them to enforce the new rules.

Other than the donotcall.gov portal, is there a new way to report the obvious failure of STIR/SHAKEN?

-andreas