The purpose of this CXTech Week 22 2024 newsletter is to highlight, with commentary, some of the news stories in CXTech this week. What is CXTech?  The C stands for Connectivity, Communications, Collaboration, Conversation, Customer; X for Experience because that’s what matters; and Tech because the focus is enablers.

You can sign up here to receive the CXTech News and Analysis by email or by my Substack. Please forward this on if you think someone should join the list. And please let me know any CXTech news I should include.

Covered this week:

• Podcast 71: Truth in Telecoms, Johnny Loves The New MEF and #GMoney
• Analyst sentiment builds against Twilio
• May Edition of RTC Security Newsletter
• Jambonz newsletter: May 2024
• Effective Today, May 28, 2024, All U.S. Service Providers Must Block Traffic from Voice Service Providers Not Registered in Robocall Mitigation
• Major call scammer bust in Thailand – Authorities seize 102 SIM boxes, Starlink devices and thousands of SIM cards.
• People, Gossip, and Frivolous Stuff

Podcast 71: Truth in Telecoms, Johnny Loves The New MEF and #GMoney

The byline for this podcast is: Mike Sievert we need you! T-Mobile is the most customer focused carrier, and can meaningfully differentiate from Verizon and AT&T by lowering SMS spam, robocalling, and fraud by bringing what the messaging monopolies offer in-house. Yes you can!

Some of the topics covered in the podcast include:

• Giovanni Tarone now loves the New Mobile Ecosystem Forum under Robert Gerstmann (#GMoney) as they seem to be ignoring The Campaign Registry. Given Johnny penchant for nicknames, I guess that makes him a suck-suck-boy. Suck comes from sucker fish that hang around larger predators.
• I do not love the MEF, their policy of ‘ignore and not engage’ with our research is not good for the industry, its bad form, and it’s a classic behavior of an old boy network.
• Just a reminder: 19.2B spam SMS in April 2024 (source RoboKiller), 4.3B robocalls in March 2024 (source YouMail). Juniper Research estimate robocalling fraud will cost $71B in 2024. The PSTN is a mess, the messaging monopolies are not working for consumers, rather themselves.
• Change is only going to come from the carriers, the messaging monopolies want things to continue as is, the politically appointed FCC is limited by partisan 4 year terms and distracted on AI. The only entity that can be customer focused for the long term are the carriers, and TMO-US could lead the charge for its customers’ and own benefit on significantly cutting spam, robocalling, and fraud.
• We also review Twilio‘s continued struggles as the dominant aggregator in the US, with increased competition, unresponsive stock, and an undifferentiated AI vision given the latest Telnyx AI and Connectivity vision. https://telnyx.com/resources/state-of-ai-connectivity
• In Twilio’s recent supplement to its proxy statement they share a plan to finally move to GAAP (Generally Agreed Accounting Principles) by Q4 2025. Johnny countered with he also wants to be 7ft tall.

Analyst sentiment builds against Twilio

We’ve been pointing out the challenges Twilio faces in achieving non-gaap profitability given its prepayments being accounted as marketing costs, not cost of goods. The challenges faced in the US market and reported last week, with a TCPA lawsuit filed against Twilio and the CSP / brand problems across toll free and 10DLC A2P SMS. I see people leaving Twilio to AI startups, this will compound the toll-free problems CSPs are facing, as support is lacking. The increasing competition from Azure Communication Services and even telcos winning large European customers away such as VirtualQ. Their AI story seems undifferentiated, especially given Telnyx post on its AI and Connectivity, and the rapidly shifting AI technology.

Morningstar has now downgraded Twilio’s moat rating to none. Essentially saying is open season on all Twilio’s customers. The money spent on share buy back appears to have no impact. Those billions of dollars could be spent buying Sinch or even tyntec.

Will Twilio survive, absolutely, it’s the 800lb gorilla in the market with a virtual monopoly in US A2P SMS aggregation from the $750B spent on Syniverse, and $850B spent on ZipWhip. However, at some point carriers will see tackling spam and robocalling as a way to differentiate. We think TMOUS will do it first, cutting out the messaging monopolies and focusing on restoring the PSTN experience. Imaging a day when you can simply answer the phone and it’s someone you know, not an Indian call center scam. Imagine not receiving multiple spam SMS from a convicted felon asking for money, or spam SMS asking, ‘Is that you J?’ I’ve had over 30 SMS in my spam folder in May. Someone is delivering spam, and there’s no way the 800lb gorilla in the market is not involved.

Maybe Twilio will halt the stock buy back and buy Sinch instead? Or double down buying some of the US messaging monopolies? Or maybe a PE firm will swoop in if Wall Street sentiment drives the stock price to $35? The PE firm could also roll-up a few of those messaging monopolies. We’re entering a phase when something has to happen, BAU (Business As Usual) is becoming high risk. Achieving the GAAP targets in the recent supplement to its proxy statement by Q4 2025 will be challenging.

Jeff left at the start of this year and bought the Onion, that some of the less surprising things we’ve seen this year!

May Edition of RTC Security Newsletter

RCS phishing attempts

I’ve seen an uptick in RCS spam, from zero last year to 2 so far this year. We discussed the one from the Philippines here. There was more discussion on this post, however that ended up being deleted by someone previously involved with MEF toeing the party line on non-engagement, yes MEF is that petty. The most recent RCS spam was from a US number, and in checking my spam folder to find it I found quite a few spam messages raising cash for a felon convicted for falsification of business records.

From the RTC Security Newsletter they listed out phishing and spam attempts using Rich Communication Services (RCS). It’s interesting reading and highlights how RCS introduction could face some initial bumps in the road.

• RCS spam texts being sent to Google messages users
• Reddit: Received an Encrypted text message
• Google has a drastic solution for RCS spam
• Google Messages users are getting spam-like encrypted RCS messages
• New Darcula phishing service targets iPhone users via iMessage
• This new phishing attack targets iPhone and Android alike via RCS

STIR/SHAKEN: a talk about privacy at the Real World Crypto Symposium (YOU MUST REVIEW THIS)

STIR/SHAKEN: A Looming Privacy Disaster is a talk presented at RWC (Real World Crypto Symposium) 2024, organized by the International Association for Cryptologic Research (IACR). The presentation is available on YouTube. The authors, Josh Brown and Paul Grubbs, also discussed their research on the Security Cryptography Whatever podcast.

At Enable Security, STIR/SHAKEN is of particular interest due to the new complexities and increased attack surface it introduces. This is primarily due to the various technologies it uses, such as JWT, PKI, and HTTP within the SIP INVITE call-setup mechanism. While we may not agree with all the privacy concerns raised, some certainly resonate with us as real-world issues. Here are the main concerns highlighted in the presentation and podcast:

• Deniability Issues:
  • The STIR/SHAKEN protocol creates cryptographic evidence of calls that can be used to prove a call was placed. This is similar to the issue with DKIM in emails. The metadata and passport are cryptographically signed but sent in the clear, allowing intermediary providers to access this information and prove a call was made.
• Metadata Exposure:
  • Clear Transmission: The metadata, including the caller and callee numbers, is transmitted in the clear through the telephone network, making it accessible to all intermediary providers. This exposure could increase if proposals to include more detailed metadata (e.g., physical addresses, birth dates) are implemented.
  • Third-Party Involvement: Many originating and destination providers use third-party authentication and verification services, meaning additional parties have access to the metadata and can correlate it with cryptographic evidence. Providers like TransNexus have a significant view into the telephone ecosystem’s metadata.
  • Increased Logging: The protocol encourages or necessitates logging of call data and signatures to facilitate spam reporting. This increases the retention and availability of metadata for extended periods.
• Legal and Compliance Concerns:
  • Centralization of metadata with third-party services could make it easier for law enforcement to obtain call logs and metadata through subpoenas. The distributed logging and third-party involvement potentially lowers the threshold for legal access to call metadata.
• PKI Issues:
  • Opaque PKI: The STIR/SHAKEN ecosystem’s PKI is opaque and lacks transparency features such as certificate transparency logs. The certification authority (CA) system is rooted in a single point of failure, with a self-signed certificate that is not publicly verifiable.
  • Certificate Misissuance: There are issues with certificate misissuance, including malformed certificates and incorrect extensions, which could compromise the security and trustworthiness of the system.
• Out-of-Band STIR/SHAKEN:
  • The proposed out-of-band STIR/SHAKEN solution involves uploading call passports to a national network of Call Placement Services (CPSs). This system replicates passports across multiple nodes, potentially increasing the risk of unauthorized access and privacy breaches.

The authors also discuss potential solutions, such as blind signing and blind verification, to address the concerns raised.

Even if you’re not interested in the privacy aspect of STIR/SHAKEN, this 20-minute presentation is worth watching because it gives a great overview of the solution, technology choices, and intricacies surrounding the topic.

Jambonz newsletter: May 2024

The Jambonz newsletter is always upways uplifting as the project grows from strength to strength.

Jambonz was joined by Suraj, our super-hero summer intern that comes to us fresh off his TADHack winning submission, and is going to help us implement some exciting new features this summer. 

The updates are coming in fast:

• support for streaming text-to-speech.  We’ve greatly reduced the latency of text to speech generation by implementing support for streaming protocols wherever offered.  This makes conversations even more human-like in terms of crisp responsiveness.
• ability to dub multiple audio tracks into a conversation.  There’s a lot of fun use cases for this, such as dubbing in natural background ambient noise or adding an automated real-time translation feature to conversations. 
• Improved Deepgram recognition through persistent connections.  We’ve worked closely with the Deepgram team to optimize our implementation and now, Instead of connecting to Deepgram at each turn of the conversation we can maintain a single persistent connection throughout the conversation – without increasing your costs! 
• Support for more speech vendors.  We keep adding more, more and more!  In this release we’ve added TTS options from RimeLabs, Deepgram Aura, Whisper, and PlayHT, all of whom offer next-generation life-like voices.
• Support for bidirectional audio in the listen websocket.  This gives you lots of freedom to build your own extensions to jambonz and pipe audio directly into the conversation on a streaming basis.
• Ability to turn up or down the audio volume / signal strength of TTS or URL-based audio during a call.  Many of you have asked for this in the past, and here it is!
• An example realtime translation app (ping us if you want to test it).  We may actually productize this into a SaaS-based service because its quite useful to organizations supporting outreach to non-native speakers, and that is a huge need in the world today.
• And release 0.9.1 will be coming soon.

Effective Today, May 28, 2024, All U.S. Service Providers Must Block Traffic from Voice Service Providers Not Registered in Robocall Mitigation

This requirement is mandated by the FCC to combat illegal robocalls and ensure network integrity for all voice service providers.

1. Registration and Certification: All U.S. voice service providers, gateway providers, and intermediate providers must have an up-to-date certification and a robocall mitigation plan filed with the FCC. This requirement applies to all providers, regardless of their obligation to implement STIR/SHAKEN protocols.
2. No Safe Harbor for Small Providers or Resellers: There is no exemption for small providers or pure resellers. Sole reliance on an upstream provider for robocall mitigation is not considered compliant.
3. Updated Disclosures: The Robocall Mitigation Database filing must include newly mandated disclosures by the FCC. Failing to update these filings in 2024 could be perceived as noncompliance by the FCC.

The practical reality for many voice SPs is:

• Thousands of voice service providers’ customers have not sent their KYC info but they’re terminating their calls and adding attestation as the calls are clean.
• There are thousands of other voice service providers in line for FCC fines without KYC data/mandating that their customers register with the database. Assuming it’s easier to ask for forgiveness given the volume of voice service providers in this situation.
• All the additional costs of KYC customer education, compliance audits, and filing with the robocall mitigation database with again more legal support are weighing on the continued existence of mid-tier companies.

The whole ecosystem is crying out for an automated identity based solution.

Major call scammer bust in Thailand – Authorities seize 102 SIM boxes, Starlink devices and thousands of SIM cards.

Thailand’s Central Investigation Bureau and Customs Department has seized 102 SIMboxes (GSM Gateways), 134 Starlink devices, 27,019 Hong Kong SIMcards and 6,770 Thai SIM cards in three operations.

At the first location the police found six GoIP32-X4 GSM Gateways (SIM Boxes) capable of operating 32 ports and 128 SIM-cards each.

In the second location, the Bureau of Narcotics Control Board and the Customs Department found:

• 96 SIM boxes
• 4 STARLINK receivers
• 27,019 Hong Kong SIM cards
• 6,770 Thai SIM cards

In the Linkedin post you can see the discussion on the purpose of the Starlink devices. And that is a lot of Hong Kong SIM cards!

People, Gossip, and Frivolous Stuff

Romain Vailleux is now Chief Product Officer at Apizee.

Shannon Chevier is now the Technology Lead at GE Vernova.

Eric Lammerding is now Director of Communications and Influencer Marketing at Lumos. I’ve known Eric since his Telesign days. That got me thinking about influencer marketing in telecoms. I find people who claim to be influencers in our domain anti-influencers, as they unthinkingly repeat vendor marketing, and the internet does that adequately.

Luis Cuende is now Cofounder & President, CitizenX. He was a winner at the first TADHack in 2014.

You can sign up here to receive the CXTech News and Analysis by email or by my Substack.