The Million-Pound British Alternative to the Billion-Dollar STIR/SHAKEN Program

It is no secret that the North American businesses who created STIR/SHAKEN, the technology and protocols adopted by the US and Canadian regulator in an attempt to reduce CLI spoofing, would like to sell the same method to the rest of the world. Insiders have told me they estimate US telcos have collectively spent half a billion dollars on implementing STIR/SHAKEN. This is easy to believe when multiple sources have gone on the record saying the cost to a single telco is counted in tens of millions of dollars. For example, FCC Commissioner Michael O’Rielly wrote in 2020 about the need to hold down the cost of adopting STIR/SHAKEN within the USA:

…for some providers, up-front costs could exceed tens of millions of dollars. While I am hopeful that benefits will ultimately exceed costs, it is obvious that this undertaking will add costs to providers, and ultimately their customers.

Earlier this year the representatives of several of the biggest US telcos wrote to the FCC to oppose the extension of STIR/SHAKEN to international inbound calls on the grounds of how little benefit would be delivered relative to the expense. As businesses which had already satisfied the mandate to implement STIR/SHAKEN for domestic calls, they knew what they were talking about when commenting:

…despite the limited benefit, the proposed requirement would impose a substantial cost – in the tens of millions of dollars – on some providers.

It does not take much mathematical nous to calculate that a program which costs tens of millions of dollars for individual telcos and which has collectively cost the US industry half a billion dollars would need an investment of several billion dollars to be implemented worldwide. That is part of the attraction for the vendors who created STIR/SHAKEN and who expect to control its global development via a standards-setting body that conspicuously lacks any input from outside North America. Having successfully sold the concept to regulators in the USA and Canada, they realized those regulators would then be forced into lobbying for the adoption of STIR/SHAKEN across the whole planet. There are cheaper alternatives to STIR/SHAKEN, but if you prevent any interworking between those alternatives you are ultimately forced to accept two consequences of the current strategy being driven by North America’s comms regulators:

  • digital signatures must be applied at source to calls originating in any country, to prevent CLIs being spoofed before an international call enters the STIR/SHAKEN ecosystem; and
  • a global governance body will oversee the issuing and revoking of certificates to the telcos allowed to sign their calls, effectively creating a supra-national mechanism to determine which telcos are authorized to send voice traffic to other telcos in the STIR/SHAKEN club.

That must sound like a great way to make money if you are one of the businesses supplying the technology or running the global authority. They will be eagerly anticipating the election of the new Secretary-General of the International Telecommunication Union (ITU) because the odds-on favorite is Doreen Bogdan-Martin, an American who has the official backing of the US government. Bogdan-Martin is unlikely to oppose the goals of the Federal Communications Commission (FCC), the US regulator, which has been blatantly pushing for the imposition of top-down verification of CLIs across international borders because it reflects the dominant thinking of US politicians from both main political parties.

The FCC’s enthusiasm for top-down controls has not been cooled by the failure to reach any useful agreement with their peers at the Canadian Radio-television and Telecommunications Commission (CRTC) over who is ultimately in charge when regulating CLIs for calls that pass between the USA and Canada. Bogdan-Martin’s manifesto lists ‘safe’ universal connectivity as her top priority and we can anticipate that means the leadership of the ITU will become more interventionist in the field of international security standardization following the departure of Chinese-backed outgoing Secretary-General Houlin Zhao.

Perhaps the advocates for a one-size-fits-all approach to STIR/SHAKEN are right to anticipate inevitable global success, which makes it an especial shame that British taxpayers are currently spending slightly under a million pounds on developing an alternative to STIR/SHAKEN that could be implemented without requiring a global governance body to oversee it. Led by Professor Feng Hao (pictured), a team at the University of Warwick received a GBP901,039 (USD1.1mn) academic grant in January 2021 to develop an alternative to STIR/SHAKEN. The project outline submitted to the Engineering Physical Sciences and Research Council (EPSRC) succinctly explains the reasons why STIR/SHAKEN is not suited to international deployment:

The STIR/SHAKEN proposal is inspired by the HTTPS web communication and attempts to apply the same approach from web browsers to telephones. However, this proposal has two major drawbacks. First of all, it requires a Public Key infrastructure (PKI), which is expensive to set up and to maintain. Besides the cost and operational issues associated with a PKI, it remains unclear who should act as globally trusted certificate authorities (CAs). Second, STIR/SHAKEN is designed to only work with the SIP system (VoIP), leaving SS7 systems (landline and mobile phones) out of scope. This significantly limits the effectiveness of the proposed solution.

The people responsible for STIR/SHAKEN have since devised a standard that purportedly will allow signatures to be carried by networks that rely on SS7 signaling, but they are never going to devise a remedy to the cost of implementing a trans-national PKI infrastructure overseen by a globally trusted authority because both are inherent to their design. Professor Hao’s alternative would do away with the complication of applying STIR/SHAKEN to every single telco in the world by implementing a control that would be embedded in phones instead of networks.

Our main idea is to leverage the DTMF signalling in a call-back session as a trusted channel to send a short code to the purported caller, in conjunction with a password authenticated key exchange (PAKE) protocol to perform key exchange over a data channel to establish a shared high-entropy session key which is then used to authenticate the caller ID end-to-end.

In other words, Hao and his colleagues want to exploit the universality of dual-tone multi-frequency (DTMF) signaling, an old and established telecoms standard where information is communicated using audio frequencies within the voice band, which means it will work across any network that lets you hear what somebody else is saying. These in-band signals will be used so phones can tell each other if one of the phones originated the call that the other phone has just received. Global adoption of such an approach will inevitably cost more than the modest value of this research grant, but there are clear cost advantages to a method based on installing new software on handsets that are already capable of exchanging DTMF tones. Hao’s approach deserves to be investigated before the world commits to the overhaul of every network and the creation of a permanent governance bureaucracy.

As they emphasize in an article on the University of Warwick website, the researchers want to devise a bottom-up approach that will avoid the shortcomings of the top-down philosophy inherent to STIR/SHAKEN. Though the FCC would never admit it publicly, the US regulator has much to gain from a global top-down approach to CLI authentication because they expect Americans to be at its pinnacle, protecting the USA’s interests as defined by the US politicians that appoint them. In contrast, other countries will be wary of increasing US influence. China has most to lose, having seen their telcos and equipment manufacturers banned by US authorities. This leads to a conflict that proponents of STIR/SHAKEN seem incapable of addressing: why would countries currently engaged in trade wars with the USA voluntarily increase the power of US authorities to decide which telcos can make voice calls? The bottom-up approach proposed by Hao would be less susceptible to political abuse at a national level. That might also explain why Huawei was named as a project collaborator in the article on the University of Warwick website, though they are not listed as a project partner by the EPSRC.

Given the way public money is wasted in the UK it would not be surprising if Hao’s project, which is listed as running until 2025, is rendered redundant before the end of this year by Ofcom, the UK comms regulator. There are signs of bias in the way Ofcom already talks about protecting customers from CLI spoofing, despite the relevant official consultation not having begun yet. Ofcom has a track record of making the decisions which are most convenient for Ofcom, irrespective of the interests of consumers and taxpayers. Academics at a British university with a million pounds of taxpayer’s money from a British research council will find it hard to compete for attention with lobbyists employed by US companies pursing a billion-dollar global program backed by the US government, even if the latter has delivered no measurable benefit to US consumers so far. It is worth giving Hao and his colleagues the time and funding needed to determine if their method can be made to work in practice. My fear is that the UK’s authorities will sideline their research prematurely.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.