 If you're anything like me, your missed calls list looks a lot like this. And I know I'm not unique, you know, the average person gets about 14 unwanted calls every month. And you might notice that some of these in my call list are flagged as spam, which is somewhat useful. But what if we could actually start to verify callers? What if we weren't just flagging things as spam and potentially harmful, but actually doing the opposite and saying, hey, you can trust this call? We already do this with websites. We already do this with emails. Why can't we do this with phone numbers? The good news is the short answer is that we can. And I'm going to be telling you about this TLS-like technology that's been developed to solve the call authentication problem. It's called Shaken and Stir, and we'll be diving into the history of why this is a problem, some definitions and technical details of the spec. How the U.S. is going to enforce implementation. Unfortunately, a lot of this is specific to North America right now, but we'll also be diving into the limitations of what this technology is. One of those obviously being that it's not applicable to the rest of the globe yet. My name is Kelly Robinson. I have been working at Twilio for about three years. Twilio offers a lot of communication services, including a lot of stuff around telephony. I actually work on Twilio's account security products for things like phone verification, but this was just something that I got really interested in in terms of what the telephony security of actually authenticating call systems was. So we have a separate team that I'm not involved with at Twilio that is working on implementing some of this stuff, but this is just some of my own research into what this is, how it works, and hopefully I can share that with you in somewhat of an introduction to what Shaken and Stir is. So let's start with just talking about what telephony security even means. Security isn't quotes there very obviously because basically there wasn't a lot of security when telephony got started. There was a monopoly of companies and even as recent as 30 years ago, the network basically looked like this. It was private. It was closed. There was proprietary technology everywhere. There were just a couple of companies and they all basically knew how to trust each other. They all knew who they were dealing with and they all had direct lines of communication with one another. And if you compare that to today, there's literally thousands of companies. It's really easy to access this technology. There's more standard technology now built on top of IP. So you don't have to have this kind of proprietary technology and a lot of infrastructure to get started. And there's all these potential paths and routes for a call to take. And you can think of the difference in accessing the telephony network like you would in deploying a website today. So this is like kind of the difference between having your own on-prem hardware, your own servers that you're running, versus today you can use something like AWS to get up and running very quickly. And before we dive into this a little bit further, I do want to give a little bit more context on some telephony jargon. If you aren't familiar with telephony like I wasn't before I started working at a telephony company and starting with a PSTN. So this is the analog and digital systems like cellular networks, undersea fiber optic cables and copper telephone lines. This is what allows people across the globe to complete voice calls. Something that you might have heard of before is VoIP. This is the voiceover internet protocol. This is what a lot of mobile infrastructure and businesses are actually using now. And so this is what people are moving towards. This is kind of the standard technology that people have more access to now. But it can also interact with a PSTN. And then finally SIP is a way to initiate IP phone calls and other communications. You can kind of think of it like an HTTP request for phone calls. It contains metadata and instructions about where a call is both coming from, who it's going to, and some other data about what the call should be. And the important thing to note here is that shaken and stir will only apply to SIP initiated phone calls. And so let's kind of talk about what the problem is here. And I specifically frame this as unwanted robocalls because not all robocalls are bad. So you can think of things like prescription pickup notifications, food delivery services, things like the school has a snow delay type thing. There's reasons to automatically dial. But we do know that most of the robocalls that we get aren't that. They're spam and that's bad. And so we wanted to focus on like the greater problem of the unwanted robocalls here. And the reason this is a problem, it's gotten super common in the last five to 10 years for a few main reasons. First, there's a lot of cheap dialers now. It's really easy to do this automated dialing in an efficient way that actually makes spam and fraud more both efficient but also profitable. And second, there's over 4,000 service providers in the U.S. alone and that makes it easier to access and also gives you more access options to access the PSTN. And third, there's no validation or authentication on who is placing a call. So you can basically set the from number to whatever you want. And so there's an app that I downloaded at iOS that just lets you spoof phone numbers and you don't really even have to know how SIP works. Like there's a way that you can do this with some SIP knowledge that's even more cheap. But there's like these consumer applications that you can download if you're at iOS or Android user that you don't have to have any technical know-how. You can just have to believe me that this is a call I placed to myself from 867-5309. So you might be asking like why isn't this just illegal, right? And the main reason is that because there are some legitimate use cases for spoofing phone numbers. So nowadays the practice for companies like Uber or DoorDash or something like that will proxy phone calls through a third number that connects individuals. So like when you call your Uber driver, when your DoorDash delivery person calls you, you're not getting a phone call from their number. You're getting a phone call from a third party, a number that's being proxied in between you. And that has privacy use cases and also some cost-saving measures. But it wasn't always like that, right? And so you also had enterprise systems or private branch exchanges that might be placing a call to a customer from an individual agent's line, but they want to display something like the toll-free callback number. And historically those were just spoofed. You would say, hey, this isn't coming from me, Kelly. This is coming from my organization. And I want to make sure that you see this friend number in case you need to call that back. And these systems still exist, so we can't just outlaw this completely. In fact, the New York Times actually spoofed their from number until 2011, you know, and it was one of those things to help protect their sources. If journalists were calling from their desk phones, they didn't want to necessarily be calling from an individual journalist's phone. But the now actually will use a 212 number that you can call back. We did introduce some legislation to address this. The 2009 Truth and Caller ID Act was what did that. So again, this is only about 10 years old that we started to really think about this as a problem, but we can't completely ban call spoofing because of the legitimate ways that businesses are still using it. So legislation specifies that it is illegal to spoof numbers if there's that intent to defraud. But there's also this enforcement struggle with this because the network comps, it might take five or 10 service providers before you know who actually initiated the call and they might or might not be able to tell you about the caller because they're placing calls on behalf of many, many customers. And so tracking down a spammer takes a lot of time and effort and therefore money, and that makes enforcement of this really hard. So that brings us to the solution. That brings us to shaken and stir and what we're here to do. Shaken and stir are the most egregious of backward imprims. So shaken is the signature based handling of asserted information using tokens. Stir again is secure telephony identity revisited. It does get worse. There's a proposal out there for lemon twist, but we're not even going to look at that because I think people are just getting a little too creative. But basically as the FCC describe it, what shaken and stir does calls would have their caller ID signed as legitimate by the originating carriers and then validated by the terminating carriers before reaching consumers. And so this is where it comes into that TLS like authentication. You are signing calls legitimate and then the terminating service provider would then display some information to the end user signifying that calls can be trusted and they were not spoofed. We're not reinventing a wheel here we're barring from other web authentication things like public key infrastructure certificates Jason web tokens are all being used for this. And it's very similar to emails DK and DMARC, which basically authenticates the from sender in an email. And so a lot of the work that was done on shaken and stir was done in conjunction with some of the authors from DK and DMARC as a way to kind of set best practices for for this type of communication. And this is a simplified view of the end to end system what happened with the shaken and stir sign calls. So the signing service includes some public key infrastructure key management, and it will be up to the originating service provider to do the key management there. And so calls are routed in a few ways. So basically between the originating service provider and the terminating service provider, you might remember from that early slide that there's like all these kind of routes that a call can take. And the way that that happens is there's something called the LNP or local number portability. And this is what people are using to both track whether numbers have been ported between carriers, but it also works as kind of a DNS like look up to look up phone numbers so that you can then route calls to the right service provider. And usually the originating service provider, it's up to them to basically do this, this routing. The, the onus is on them to decide on the route that a call is going to take they're usually using something called lease cost cost routing. You know, Twilio uses like an inter exchange carrier. There's vendors that allow you to do this to route calls. I don't want to get into that too much but basically when it is being passed through the other service providers in the middle there it is just being passed through there's not additional validation in the middle there, they're just passing the call through. And then on the other side of things the terminating service providers then has their own verification service and the verification service is what context is certificate authority and uses the certificate authorities authority there to then verify whether or not the call that came into them is a valid call. And so certificate authorities are being chose by ATIS. That's the Alliance for telecommunications industry solutions. And so this is the standards body that authored shaken. So some of the certificate authorities that have been chosen are people like new star and transnexus. I think there's a few others that haven't been publicly announced yet. And these are similar to the certificate authorities that administer TLS certificates like let's encrypt. And then when a call reaches a terminating service provider it's up to the client. So this would be somebody like Apple or Google to decide how to display that the calls are trusted. And so this could be something like hey I've got a check mark next to this call we display something like you saw an early slide that says the verified there's a verified caller here. And so this is something like a lock that we have like in browsers with the TLS HTTPS sites. So there's different options here and that has not been standardized in terms of how to signify this to consumers that these calls are not spoofed. And so I think that's going to be one of the interesting challenges that we see as as this gets rolled out more is how do we build this trust on the consumer end of things and display this to them in a consistent way so that they know what what to expect. So it's going to know a little bit of the weeds of how this actually works from the technical perspective. So this is what a SIP header looks like currently you can see the metadata included there. Just a reminder SIP is the way to initiate voice calls in a way to initiate voice calls. But note the from here so the problem here Ray is that the from number can be spoofed and that happens if either the originating service provider allows it isn't doing any validation on that. There might be those legitimate reasons for that but they basically want to make sure that and a lot of legitimate service providers are already doing this validation they're not letting you place calls from numbers that you don't have access to. But there's like, you know, like I mentioned there's over 4000 service providers in the US alone like a lot of the long tail service providers might not be doing this validation. So what shaken does is it introduces a new identity header and this is in the form of basic 64 encoded JSON web token. And I'm going to focus on just some of the information that's encoded in the middle section here. And so the information that's encoded there includes things like the attestation level. And so this is in the header and we'll talk more about what the attestation level is on the next slide. But this is basically the crux of like whether or not we trust this call, but it also includes some additional metadata like who the call is going to who place the call. And then importantly, the original ID the origination ID. This is for the originating service providers underlying customer. And so this is set by the originating service provider. And so the originating service provider the OSP there is really putting their reputation on the line saying hey this is my customer. That is placing this call and I'm giving them this level of attestation. And this is important because this ID makes it near instant to identify bad actors because you can trace back the call to the underlying customer. And this is what's going to allow us to enforce the truth and color ID act. And so not only does shaken allow you to build trust in calls that aren't spoof, but it also allows a lot of the enforcement side of things to make sure that we can track down bad actors more quickly and more efficiently. And so back to the attestation levels. There are three levels that can be attributed to a caller. And so the originating service provider is going to decide what the attestation level is here. So a is the highest level of attestation of course and so this is saying I know who this customer is. And I know they can use this number that they are calling from and so that is you know what you would assume most of the legitimate business calls being placed are attestation levels B and C have some less level of trust in the call. But this is still likely to be a less fraudulent call if it's signed with any of these attestation levels, then if it wasn't signed at all. And so, generally, I think what, and this is where we don't have a lot of standardization around this yet, but the clients so the Google's the apples are going to have to decide in conjunction with the carriers the Verizon's the T mobile's these types of people how to display trust and likely what's going to happen is that they're only going to display a checkmark or a verified caller. If there is that attestation level a. Technology is really great, but we need to make sure that people are actually implementing this and so one of the things that is good about this is it puts the onus on businesses to do the implementation and not as much on the consumers to, you know, increase consumer protections. But the main way that we're going to ensure that businesses implement this is with the traced act. And so this is the telephone robocall abuse criminal enforcement deterrent act. The Senate last May passed by the House and signed into law in December of 2019. So I think it was like December 30 of 2019 it was signed into law. And what it did is gave a timeline that started at that point so basically you can think of beginning of this year. It gives telecom companies 18 months to implement shaken and stir. And so you can think mid 2021 is kind of when the deadline for this is a lot of bigger companies have been working on this for a while, but it's still going to start to enforce the deadline in mid 2021, assuming that everything goes as planned. So it also allows for $10,000 fine for offenders and so this does also add an additional fine on top of the existing truth and color idea act. So the authentication requirements for the trace act depend on the type of calls. So if it's void, the requirements there is that you have to implement shaken and stir. But they do acknowledge that there isn't really good solution for non void calls yet. And there are a lot of non void calls that are on the PSTM. And so new star has a solution called stir out of ban for non void authentication. You know, if you are a company is placing non void calls, there's things that you can look into here for you or your customers. But definitely I think what that's one of the challenges to getting this implemented is not everything is just going to be able to implement shaken and stir. And that's kind of what I wanted to get into now is just one of the limitations of this technology. First being, you know, according to my curmudgeon Lee coworker Randy who's been working in telecom for many, many years the phone network is kind of an ungodly beast and so it's you know a collection of wires that has been rapidly expanding for over 100 years. And that's this kind of situation that we've run into where there isn't a standard technology that's being used for all the calls and so we can't just flip a switch and change everything over to be suddenly authenticated. And part of that ungodly beast is this thing called time division multiplexing or TDM. This is essentially the opposite of void that's old school hardware that's been around for 50 years baked into a lot of enterprise private networks. And the traced act explicitly acknowledges TDM as a potential burden to implementing shaken and stir so they said that the burdens are barriers to the implementation including for providers of voice service to the extent the networks of such providers use time division multiplexing fancy language in the bill that basically says we get it this might be hard for people that aren't using void. And then another challenge that we have is that there just is this long tail service providers like this is something that companies like Twilio and Verizon, Comcast other large companies have been working on for months. What happens when you're a smaller scale service provider that's running, you know, limited infrastructure you might have different access points to the PSTM that aren't going to be void like I said. And so, you know, of the 4000 service providers in the US alone, I don't know what percentage of those is going to be compliant by mid 2021. So the requirements to to comply with this law does require significant investment. I don't know if we can reasonably expect that everybody will be able to make that investment in time. And then there's all these other problems, you know, the biggest problem like is in the US right now, but this is also a problem places like UK and Norway. And I haven't really heard of any initiatives outside of North America to address this there are starting to be, you know, some initiatives to implement this in Canada. But, you know, maybe this is something that if your country has a solution for this definitely reach out I'd love to hear about what you're doing for enforcement there. But, you know, there's other things that we have to think about like what about ported numbers, you know, the international side like I mentioned and also like text messages there's other communication channels that don't have the same type of authentication. So the FCC is number one complaint right now is robocalls but the government is obviously a little distracted with other global pandemics right now. But, you know, I think in terms of that department and this is something that they have a priority and motivation to fix. And so like I said that the timeline for enforcement here is that towards the end of 2020 or into 2021 will start to see more people start to implement this. And you might start to see calls coming through already on your phone that might have a check mark, or might have an indication that they're being signed. So what can you do in terms of implementing shake and stir for your business talk to your service provider whoever is doing your telephony. Most businesses probably won't have to do much in terms of implementation a lot of the onus is going to be on service providers themselves. You might have to go through with some additional verification some like KYC know your customer type stuff with your service provider. So Trillio will need you to create a business profile that has some additional details about your account before we would give you and start signing your calls with the highest attestation. And then there's some precautions that you can take as just application security professionals. So you can protect your numbers from web scraping bots don't assign sequential numbers to your employees that's a way that people can kind of guess which which employees might have lines at your company. And then you can use actual authentication in your call centers. This is another way that you can protect your business from from vishing. This is something that I could talk about for many, many hours that a lot of companies basically will only ask for a consumer if you date of birth and email in order to verify the customer. And so there's a lot of other things you can do to actually authenticate people on either end of the call. And then if you know what a PBX is and you have one, you might look into installing the blacklist database on that come some controversy around whether or not you want to do that it's hard to get off the blacklist database if you're on there. But this is something that you may or may not have to worry about. And then there is some ongoing legislation, but things have been pretty quiet from the FCC this year. They did recently somewhat recently like in the last year give telcos the authority to block unwanted calls without explicit subscriber permission and so, you know, AT&T Verizon T-Mobile in the US they can now decide hey we're going to send this to basically like a spam folder without ever notifying you that the call came in and I don't need you tell me to tell me that that's okay. And then like I mentioned in terms of timeline for the TraceDAC the enforcement will start to begin at the end of 2020. The last update from the FCC on this was March 31. And this reaffirmed their call to implement shaken and stir but it did already grant an exception for an extension for small voice service providers. And I don't know what that means. I don't know exactly how they're going to decide who is a small voice service provider, but they are already thinking about you know this was three months after the bill was signed into law. They're already saying hey maybe this timeline isn't reasonable so while I do think that a lot of larger telecom providers will start to sign calls within the end of this year. I do think that there is going to be an exception for that long tail of service providers and not everything is going to be a sign call before you know the end of 2021. There are a couple of things you can do as a consumer to protect yourself today. You can install one of these apps depending on how much you trust them a lot of times you have to give them basically complete control over your phone so your mileage may vary there. But things like no real robo robo killer call app, you know companies like AT&T have a partnership with a company called Haya that does you know some protection against spam calls. Of course a lot of consumer telecoms are starting to upsell spam detection services so Verizon offers their call filter plus for the low low price of $3 a month. But you know these are things that you can look into installing on your phone if this is something that is a huge annoyance to you right now. So like I said unfortunately I don't think this is going to solve all problems right away but I think people are really optimistic that shaken instead will help restore trust and telephony because not only is it going to help mitigate spam calls that are coming into your phone but for those wanted calls for you know the calls that you want to see that might be from unknown numbers. So I guess there's going to be a renewed trust in some of those phone calls and so there is that motivation from businesses to restore that type of trust so that people will answer the calls. Hopefully this is a good overview in terms of what you can expect from shaken and star. If you have any questions you can find me on Twitter I'm also on discord. My name is Kelly Robinson and thank you for listening.