SHAKEN/STIR is Getting Real

The Federal Communications Commission (FCC) estimates robocalls will constitute more than half of all phone calls placed in the U.S. this year. In an effort to end to this, the FCC and major telecommunications companies including Comcast, AT&T, and T-Mobile have lined up behind a new standard called SHAKEN/STIR (Signature-based Handling of Asserted Information using ToKENs and Secure Telephony Identity Revisited) to combat robocalls and caller ID spoofing. Read about the FCC’s latest robocall summit here.

Public key infrastructure (PKI) is the backbone of SHAKEN/STIR, using digital certificates based on common public key cryptography techniques to ensure the calling number of a telephone call has not been spoofed. However, SHAKEN/STIR requires a comprehensive ecosystem and will only effectively work if every deployment at every telco (or commercial CA) is secure. The graphic illustrating SHAKEN/STIR is available to download here.

As the ecosystem is being defined, the players involved need to educate themselves on the many places where things can go wrong including bad policies, lax security controls, or weak operational practices. Bad actors will absolutely try to subvert this security to initiate “validated” calls.

See you at Black Hat USA 2019 and DEF CON 27

I will be onsite at Black Hat USA 2019 and DEF CON 27 – presenting How PKI and SHAKEN/STIR Will Fix the Global Robocall Problem at the DEF CON 27 Crypto & Privacy Village. If I don’t see you on the show floor before hand, join me Friday, August 9 at 5:00 p.m. at Planet Hollywood, Celebrity Ballroom 2.

In my talk, I will address the current landscape and what’s at stake, outline the SHAKEN/STIR global standard, explain how it works, explain the ecosystem and the players, discuss the evolution and deployment, and dive into the technical stuff.

Afterward, please join me as PKI Solutions and Keyfactor host a Crypto Chat & Drinks on Friday, August 9, 6-8 p.m., Blue Moon Bar, Planet Hollywood, immediately following my talk.