PW - Combating phone spoofing with STIR/SHAKEN

uh so St shaken uh this is something that I've been sort of tracking back home in Norway and Europe for the past couple of years I've done talks about this in in several uh conferences and uh Arenas in in Norway and other countries as well in Europe and I had absolutely no plans on doing this talk here in the US because I just made the assumption that since the US in Canada have stir shaken in place there would be other people perhaps that would be talking about it not me um just have the theory uh on on this stuff and the uh simple thing is give me a call on this number if you uh

if you can if you have a us or Canada uh number uh eventually I will call you back just give it a ring and hug up I'm not going to respond and when I call you you there's no need to answer uh as well but this is just for a little bit of crowdsourcing from me if you can in addition also um text me or put a message on Twitter DM or anything like that with the you know three four last digits of your number um I would really like to know which carrier you are using and when I call you back you're going to look for a small check mark in your call history um and tell me whether you can

see that check mark Or Not So I've spent like for I don't know uh eight nine years now looking a lot into Mobile hijacking as I call it um I do differentiate between Port out and Sim swap attacks Sim swap to me is messing with your current subscription with your current sell carrier like getting a new SIM card or getting an extra SIM card so if I get a SIM card at your name I will be able to get your phone calls and your text messages as an example a port out attack to me is calling your provider uh and calling a new provider and say to the new provider that hey I am you and I want to move

your current subscription over to the uh new uh carrier and get a SIM card from them so it's a little bit of a difference but in any case uh social engineering attack um and I started talking about this back in 2019 after doing quite a few uh years of research at one point I took out uh I put out a tweet saying uh hey I'm trying to learn more about phone spoofing can somebody give me a call or a spoof Call uh so I can understand a little bit more how it works and less than 30 minutes later uh my phone was calling and the number was plus 0000000000 lots of zeros and obviously it's a SP phone call I pick up the phone

and I say hello this is per hello this is Vladimir calling from Moscow Russia and it was actually Vladimir calling from Moscow Russia because he's a friend of mine and we're not talking about Putin but not of Vladimir in Moscow and he laughed and said ah this was really fun and it took me like 10 15 minutes to find a spoofing service that would allow me to call you using pretty much any number in the world and that's what you will see uh on your display so I already explained the port out attack uh Sim swap is well I can get a new SIM for your current subscription I can get the twin SIM card you know

some providers do have that I can also just get a data SIM card that doesn't make that much sense but it can be done some of the things that I've done back home in Norway is back in 2019 I let made a lot of fuss in Norwegian media about how easy it was to hijack somebody's uh phone number uh using simple social engineering and get a SIM card in their name as an example or moving this this subscription to a new carrier So based on that uh the Norwegian government came out with a new uh resolution which is still not part of Norwegian law but basically they say uh this is a hearing from Norwegian

government on September 3rd 2019 actions to prevent mobile hijacking and I'm still waiting for this to pass it basically says that before you allow to get a new subscription or change your subscription with your current carrier or move it to another carrier you have to provide proper ID you can't get us an anonymous SIM card in Norway as an example not possible you have to provide ID we we we want to know who you are before you get a phone number I've also done a little bit on voicemail hijacking which is something very completely different but if you able to spoof a phone call uh you can get access to people's voicemail all the way back in August 2006 Norwegian press

wrote about Paris Hilton and lindsy Lohan uh where the Uber hacker Paris Hilton was actually using a c that is I think it's either us or Canada called spoof card they still exist today and they will allow you spoofcard.com so there you go have fun uh and they allow you to make SPO phone calls in the US and Canada because of my work SPO card stop working in the majority of Europe you could no longer make SPO phone calls to Europe so that was me sorry guys um and what she did back then in 2006 she used uh proof card to call into lindsy Lohan's voicemail because she was spoofing her phone number and doing that

she was able to listen to All voicemail messages that that were left for lindsy Lohan and she was also able to change the welcome message as an example I did the same thing in Norway in Sweden and Denmark I proved that by spoofing phone numbers I could get access to almost 7 million voicemail boxes with three different carriers in Norway Sweden and Denmark back in 2019 now most people over there don't use voicemail but matter of fact if you get a phone subscription in Norway Sweden and Denmark you always get voicemail as an included service in fact you can't even tell a k i don't want voicemail but you can turn it off but of

course default it's turn on which is crazy now back to stir shaking again what is Stir shaking well you may know it in a way as caller ID in the US um and it's pki publicly uh infrastructure for uh phone calls this is you you have Ryon as your operator you make a phone call to me I'm using AT&T uh your carrier which supports St shaken will you have an authentication Service they will add a digital signature to your phone call going to me my provider also has a verification service they will check a certificate repository and basically my phone running iOS or Android in at least some of the newer versions have integrated support for verifying the incoming call

and the added digital signature that to that uh phone call so it's pki for phone calls this is pretty cool stir shaking provides three level of of attestation of calls you have the full attestation the service provider has authenticated calling party and they are authorized to use the calling number an example of this case is a subscriber register with originating telephone service provider soft switch you have second highest level partial attestation the service provider has authenticated call origination but cannot verify the call source is authorized to use the calling number an example of this use case is a telephone number behind an Enterprise PBX and the lowest level is Gateway station the service provider has

authenticated from where it received the call but cannot authenticate the call Source an example of this case would be a call received from an international Gateway now let's go over to the marketing stuff because again we don't have this in Norway we don't have this in Europe yet I've been advocating for years that we should do as you do in the US and Canada I get back to the time on here a little bit later but this is the marketing stuff that I have found from websites from T-Mobile ryzen uh the usfc as an example and they say that this is a sort of like an iPhone display and somebody's calling you uh you see the

number and it says uh it's coming from Atlanta but this could be spoofed now adding stir shaken you would be able to see a verified symbol through so that is your your phone authenticating verifying the uh um the uh um the um digital keyas been added to the phone call uh the signature and you will see that yep the verified symbol means this is actually the number calling you it's not a spoofed phone call of course it could be a scammer or telemarketing company but that is the number being used and this implementing this is a c to any carrier I have no idea how much it costs to deploy this but a PK PKR

infrastructure that will add digital signatures to every single phone call so yeah it's going to be more than $100 for sure who's paying for this well in the end it's going to be you and me right that's how it is but more interesting is that they also say and this is from the marketing stuff so I cannot guarantee this is actually how it works but they also say in the marketing materials that once you have stir stir shaken in place you can also add what's called Rich call data so you can actually integrate because phone calls today are mostly voice over IP it's internet traffic IP packets so you can actually add text and a graphic logo and even a small text

that you should be able to see on the call screen so if it's your bank calling it can say you know you could show the logo of your bank and say customer service is calling or it's a hospital or the doctor or whatever else and this is the point where I've been telling people in Europe that well and for the telecom companies for sure that hey give me this and you can add this and you can charge money for businesses and government organization saying that if you want to add the additional level of trust to put in your logo and text displaying why are you calling your customers you can do that and marketing material sets says you need to have stir

shaking in place before you are sort of allowed to add this stuff as well so if you go into your call history on your Android or iPhone we are basically looking for a very small check mark now I was surprised because I have an iPhone 15 Pro I it's completely updated uh I now have the uh Us number which people keep calling me all the all the time I see on my display and I don't see the check mark from anyone calling me be it using Google Ryon ATT and so on I've been calling people back and some people have responded to me yes I see that from your number I see a small check mark in the

call history but on the call screen it doesn't show anything that could assist you in making a better informed choice if this is a spu phone call or not in January 2018 Canada said that they expected implementation of stir shaken by March 31st 2019 got delayed a little bit uh and post deploy report by May uh 31 uh 2022 and in December 2019 you had the traced act here in the US uh the FCC said that this was approved by uh March in 2020 big providers in in the US needed to have this implemented by June 30 2021 and small providers in the US needed to have this implemented by June 30 2022 and on June 30th 2021 t- T-Mobile

USA announced that they were 100% compliant with this their St shaken implementation and during all these years you know from 2018 to 2021 2022 I did see Norwegian Telecom providers and Norwegian government talk about this from time to time but they never did anything they didn't even contact anyone in the US to ask what's the cost what's the time frame to implement this it was just like yeah that's a us thing they have problems we don't so we don't care but I found as an example in Europe uh a nice little EU report uh several hundred pages on page 34 it says it is unlikely that all operators in Europe will introduce systems to counteract CLI

spoofing uh so that's you know C proofing on their own initiative without regulatory intervention in that sense the situation is similar to that in the USA where operators only introduced stir shaken on a large scale after implementation of corresponding legislation it is likely that all European operators wishing to terminate calls where both the call party number and the calling party number are us numbers will in due course have to implement stir shaking clearly this technology has the first mover Advantage so again I keep telling people tellos in Norway and in Europe you should do this there are problems with Spam calls proof calls in the US is a very small problem in in Norway but the problem is going to

come to Norway as well if we don't do anything and the answer I'm getting is yeah we'll deal with that when it comes and I'm like okay okay I'm not giving up and funny enough we also have a law for Telo Telco providers in Norway and they have this excellent sentence in Norwegian uh translated into English saying service providers telecommunications must as far as technically possible and financially reasonable block phone calls for for anyone trying to use an a number which they do not have the right to use we have three Telecom providers in Norway with fiscal infrastructure I've talked to all three and they say this is a bloody difficult Market to operate in we

don't make any money from providing cell coverage in Norway so you want still shaken now we're not even going to look into the price of it because we not all you know at this moment we don't make any money at all more less selling uh mobile phone subscriptions in Norway so you know go away and I'm like yeah let's see about that still working on it so to summarize a little bit on this what can you do well tell people because I don't know how the situation is in the US or in Canada but in in the rest of the world at least my experience people don't know that the number they see on the screen

when somebody is calling them can be spoofed which is a little bit Tracy to me uh I do recommend people to enroll for free in the Google protection uh Advanced Protection Program um you can unable the lockdown mode on your iPhone and of course the very simple trick of if somebody is calling you asking you for your credit card details or social security number whatever it is and you think it might be a spof called just make the very simple question can I call you back on which number because if somebody is using a spru phone call it will be difficult or impossible to sort of call them back on the same number and also if you know anything

about GSM networks and stuff there are options on Android on some Android phones to disable 2G support um it's a setting available Android uh 13 and 14 as a minimum and when you turn on lockdown mode on iPhone you can also disable 2G because 2G being very old doesn't have mutual authentication so setting up a fake base station and making your phone connect to my base station and then I can e drop on you and I can send you text messages as many as I want for free is I'm going to say incredibly easy but it's easy enough for most people to figure out if you just study a couple of YouTube videos more or

less and going back to what can you your business your organization do uh about this well I would really recommend you to tell your customers uh about you know your official channels if people suspect any kind of spam fraud or something being done towards them uh that looks like it comes from your organization you should have as I say at least you should have a web page saying our official channels are just official channels these are the channels our company is using on Tik Tok Snapchat YouTube Twitter masteron and so on for official information and if you are receiving any text messages calls emails from any other domains or numbers and so on it's fake it's fraud and you should

report it to us at this number this email as an example uh you should also talk TOS providers that you might be using for sending out text messages uh and ask them hey do you have any kind of Protections in place so that nobody else are able to use our name as the sending name of a text message or the number in Norway right now you can go to any SMS provider sign up for an account pretty much for free and start sending out text messages and you can set the sender name or number to be anyone you like do you see a problem with that I do and they are starting to see the problem

appear in Norway now I don't know situation in us while guess I think it's worse here SM text messages talk to Telecom providers and talk to your government about obtaining insights from Telecom operators on detection of fraudulent calls and SMS because statistics are very very useful now to my big surprise I arrived here on Thursday to my really big surprise I've been talking to a lot of people already and have you uh you know asked you to call me and I thought that since St shiken has been mandatory for all Telco providers in the US since July 1st 202 22 I will see I would see lots of check marks I'm not seeing any check marks at all in my call history

and when I've been calling people back some people have been telling me yes I do see the check mark but that's like one out of three one out of four that actually sees that check mark I don't know why but please do me a favor please call your provider send a message to your uh provider and ask them do you support St shaken why am I not seeing it in my call history why I'm not seeing this on the calling screen because I'm supposed to best regards the FCC part of the US government thank you and in the last case if that doesn't work go and vote in November and tell your government to do that

[Applause] you can find me on Signal here has my phone number I'm on LinkedIn and again let's give me a call if you haven't done so already I will call you back just a ring or two room number yeah have you seen [Music]

this compli you're not getting TMobile they give it everybody the loophole was they enabled it it's there if you pay extra if you don't pay extra for your it's not it's not access so you can give props to the hotel they called me and they have the check mark they have the check mark in place that's excellent that's excellent yeah nobody can yeah so next talk in 9 minutes uh Cecilia vion picking a fight with the banks uh that's also going to be very interesting uh in a way I would recommend especially women to listen to this next upcoming talk but it's relevant to absolutely everyone see you back in 9 minutes sing number