Over the last few months, I’ve noticed extra calls coming in from local numbers, and if you live in the US, I suspect maybe you have too. These calls are either just dead air, or recordings that start with “Please don’t hang up.” Out of curiosity, I’ve called back on the number the call claims to be from. Each time, the message is that this number has been disconnected and is no longer in service. This sounds like the plot of a budget horror movie, how am I being called from a disconnected number? Rather than a phantom in the wires, this is robocalling, combined with caller ID spoofing.
Automated phone switching is an impressive beast. The story often told is that Kansas City had two undertakers in the late 1800s. The town’s telephone operator was married to one of the undertakers, and she would routinely send business to her husband. The other undertaker was [Almon Brown Strowger], and once he caught on to what was going on, he started working on a way to route phone calls without going through an operator. His invention eventually became the rotary dial phone and switching system. There is some irony that the automatically switched telephone network was invented to defeat fraud, and today it’s also used to commit fraud.
Number Spoofing is a Side Effect of the Ma Bell Breakup
At Hope XII, [TProphet] gave a talk about robocalling and the history of the phone system. He talked about the breakup of AT&T and the associated government regulation, and how those two events have had unintended consequences today, like enabling caller ID spoofing and robocalling. Part of the agreement between the U.S. Government and AT&T is that all calls would be accepted, even calls from competing providers. The downside is that this regulation then legally prevented AT&T from blocking phone calls even when those calls are known to be spoofed or spam.
Signalling System 7 (SS7) was designed in the 1970s, and has become the international standard for routing phone calls. This standard was written in a time when network security was an afterthought: SS7 has no authentication built in, simply accepting all traffic on the “secure” phone network. Regulated network interconnection was baked into the SS7 protocol, and a side effect is that the source phone number is trusted by design. Caller ID spoofing is the result of this protocol and the regulatory requirement that telephone companies (telcos) complete all calls from competitors.
[TProphet] didn’t mention the legitimate reason for caller ID Spoofing. Your humble author spoofs the caller ID of his office phone. Why? An Asterisked phone system (running off a Raspberry Pi) connects to both a Plain Old Telephone System (POTS) line as well as a VoIP trunk. Incoming calls to the phone number, as well as outgoing local calls, go over the POTS line. Long distance outgoing calls go over the VoIP trunk, as the per minute rates are significantly better. In Asterisk, when routing the outgoing call, there is a simple routing command that sets the outgoing caller ID information. It’s accurate information in this case, but this is the exact same process as a robocaller uses to spoof calls.
Most hotels and other large businesses do spoofing of some sort, in order to show all their calls as originating from their main number. If the caller ID is set in order to funnel return calls to the primary incoming phone number, all is well. If the spoofed number doesn’t serve to allow returned calls, but instead is intended to deceive, then fraud has occurred.
Can Telcos Block Spoofed Numbers?
So what’s the solution? The FCC has recently taken aim at robocalls, and has changed its regulations as part of this push. Telcos are now allowed to block spoofed calls that claim to be originating from disconnected numbers, as well as certain other obviously spoofed numbers. Cell phone companies have started showing warnings about incoming spam calls, and even blocking some calls.
Part of the reason for Gmail’s rapid growth was its excellent spam detection. Now that telcos and cell providers have some regulatory breathing room, they are beginning to compete for the best robocall blocking. T-mobile, for instance, uses a service that monitors call originators for recent call volume. If one location just fired off a thousand phone calls, it’s probably doing robocalling. If you’ve seen a caller ID message of “Spam Likely” on your cell phone, you’ve been the beneficiary of this service. [TProphet] even described a scheme to catch and block spam calls as a service. At the end of his talk, he outlined how the SS7 metadata included with a spam call could be categorized and scored, in order to determine how likely a given call is to be spam.
This is very similar to the operating principle of Spamassassin, one of the more popular open source email spam filters. Just as Spamassassin looks at the email source, headers, and text; a robocalling filter could look at the origination, timing, and other metadata to determine a spam rating. The parallel between robocalls and email spam would suggest that robocalls will never fully disappear, but better service and smarter regulation will eventually reduce them to an occasional annoyance.
History Repeats Itself
The unity of the telephone network has turned out to be one of its major strengths — Imagine a world where you needed an AT&T subscription, a Sprint subscription, and a Verizon subscription, just to be able to talk to family and do business. The regulatory agreement with AT&T, combined with later legislation brought about this unification. However as we’ve seen, it did come with unintended side effects, like enabling robocallers.
There is another regulatory good idea that could have some unintended side effects. Net neutrality is the idea that Internet Service Providers (ISPs) should provide neutral internet service. We pay our ISPs for our bandwidth, and it’s reasonable to expect that bandwidth to be provided without services being blocked or throttled. Net neutrality regulations would insist that ISPs deliver packets in this unbiased way.
To be clear, I’m of the opinion that net neutrality is a good idea. An ISP shouldn’t be able to shake a customer down for a higher monthly fee, just to get unthrottled access to a competitor’s video streams.
In order to ensure net neutrality, ISPs were temporarily reclassified as “Common Carriers”, similarly to how the Bell telephone system was regulated. In order to understand how this classification might be a sub-optimal solution to achieving net neutrality, consider what traffic ISPs regularly block. For example, port 25 is reserved for the Simple Mail Transport Protocol, and is routinely blocked on residential internet connections. Why? Port 25 traffic from a residence is almost always spam, being sent from a compromised computer. Would an ISP regulated as a common carrier be allowed to block that traffic?
Regulations often have unintended side effects, and bodies like the FCC are usually slow to update rules to fix those unintended consequences. The requirement for all telephone networks to play nicely together opened up the call spoofing vulnerability that delivered this abundance of robocalls. So far fining robocallers and having regulators harrumph at telcos hasn’t solved it. The balancing act for any network is to keep it accessible to legitimate traffic without compromising the ability to combat traffic that is clearly malicious or fraudulent.
from Hackaday https://hackaday.com/2018/11/12/hello-and-please-dont-hang-up-the-scourge-of-robocalls/
