Caller ID spoofing is a global industry problem and often acts as a critical enabler for telephone fraud. To address this problem, the Federal Communications Commission (FCC) has mandated telecom providers in the US to implement STIR/SHAKEN, an industry-driven solution based on digital signatures. STIR/SHAKEN relies on a public key infrastructure (PKI) to manage digital certificates, but scaling up this PKI for the global telecom industry is extremely difficult, if not impossible. Furthermore, it only works with IP-based systems (e.g., SIP), leaving the traditional non-IP systems (e.g., SS7) unprotected. So far the alternatives to the STIR/SHAKEN have not been sufficiently studied. In this paper, we propose a PKI-free solution, called Caller ID Verification (CIV). CIV authenticates the caller ID based on a challenge-response process instead of digital signatures, hence requiring no PKI. It supports both IP and non-IP systems. Perhaps counter-intuitively, we show that number spoofing can be leveraged, in conjunction with Dual-Tone Multi-Frequency (DTMF), to efficiently implement the challenge-response process, i.e., using spoofing to fight against spoofing. We implement CIV for VoIP, cellular, and landline phones across heterogeneous networks (SS7/SIP) by only updating the software on the user's phone. This is the first caller ID authentication solution with working prototypes for all three types of telephone systems in the current telecom architecture. Finally, we show how the implementation of CIV can be optimized by integrating it into telecom clouds as a service, which users may subscribe to.

翻译：来电显示欺骗是一个全球性行业问题，常成为电话诈骗的关键助推因素。为解决该问题，美国联邦通信委员会（FCC）已强制要求美国电信运营商部署STIR/SHAKEN——一种基于数字签名的行业驱动解决方案。STIR/SHAKEN依赖公钥基础设施（PKI）管理数字证书，但将PKI扩展至全球电信行业即便可行也极其困难。此外，该方案仅适用于基于IP的系统（如SIP），使得传统非IP系统（如SS7）无法得到保护。目前，针对STIR/SHAKEN的替代方案尚未得到充分研究。本文提出一种无需PKI的解决方案，称为来电显示验证（CIV）。CIV基于挑战-响应流程而非数字签名对来电显示进行认证，因此无需PKI，且同时支持IP和非IP系统。或许有悖直觉的是，我们证明可以利用号码欺骗，结合双音多频（DTMF）技术高效实现挑战-响应流程——即“以欺骗对抗欺骗”。我们仅通过更新用户手机软件，便在异构网络（SS7/SIP）上为VoIP、蜂窝和固定电话实现了CIV。这是首个在现有电信架构中为三种电话系统提供工作原型的来电显示认证方案。最后，我们展示了如何通过将CIV作为一项服务集成到电信云中实现优化部署，用户可按需订阅该服务。