CryptoDB
STIR/SHAKEN: A Looming Privacy Disaster
| Authors: | |
|---|---|
| Download: | |
| Presentation: | Slides |
| Abstract: | In 2020, the Federal Communications Commission (FCC) began mandating the adoption of the STIR/SHAKEN protocol by all telephone service providers operating in the United States. This protocol aims to reduce the number of fraudulent robocalls by creating a reputation system for providers, disincentivizing providers from permitting fraudulent calls to originate from their network. This talk will discuss our ongoing study of the privacy implications of STIR/SHAKEN. Our study has uncovered severe privacy issues stemming from the design and implementation of the cryptography in STIR/SHAKEN. Notably, STIR/SHAKEN requires, for every call, highly sensitive call metadata (e.g., caller and callee numbers) to be signed in a cryptographically non-repudiable way and transmitted unencrypted between providers; this gives anyone the ability to cryptographically assert a call took place. Further, because third-party signing-as-a-service is widespread, this highly sensitive metadata is often revealed to off-path third parties. The talk will give the relevant background on telephony and STIR/SHAKEN, describe these privacy issues in detail, and discuss our ongoing research on solutions. We will also highlight unusual real-world cryptography challenges that arise, such as blind verification for signatures. |
| Video: | https://www.youtube.com/watch?v=3trxXF0-fRU |
BibTeX
@misc{rwc-2024-35358,
title={STIR/SHAKEN: A Looming Privacy Disaster},
note={Video at \url{https://www.youtube.com/watch?v=3trxXF0-fRU}},
howpublished={Talk given at RWC 2024},
author={Josh Brown and Paul Grubbs},
year=2024
}