The purpose of this CXTech Week 30 2024 newsletter is to highlight, with commentary, some of the news stories in CXTech this week. What is CXTech?  The C stands for Connectivity, Communications, Collaboration, Conversation, Customer; X for Experience because that’s what matters; and Tech because the focus is enablers.

You can sign up here to receive the CXTech News and Analysis by email or by my Substack. Please forward this on if you think someone should join the list. And please let me know any CXTech news I should include.

Covered this week:

• Kearney Dross: “The 5G API ecosystem is ready, but are communications service providers?”
• Podcast 80: TADSummit Innovators, Sandro Gauci, Enable Security
• The US cybersecurity agency CISA on Tuesday announced that it has added a recent Twilio Authy bug to its Known Exploited Vulnerabilities (KEV) catalog.
• Juniper Research forecast SMS traffic will slump by 20 per cent between 2024 and 2029
• The Crapification of the PSTN
• Remember RingTones?
• People, Gossip, and Frivolous Stuff

Kearney Dross: “The 5G API ecosystem is ready, but are communications service providers?“

Another day, another appalling report on Camara (network APIs, 5G APIs, network automation, or however this is spun at the moment). Every telco should run a Camara Review and build a point of view that is in interest of its shareholders and employees, not in the interests of its vendors / GSMA.

Addressing the title, the 5G API Ecosystem is NOT ready, it doesn’t exist outside a few specialized cases, or misreporting, show me the dev portals with live APIs, sample code and a testing environment. This report is poor, Kearney needs to perform quality reviews on the content produced in its name.

Starting with the first paragraph: “5G APIs present a significant opportunity for communications service providers (CSPs) to not only improve the customer and developer experience by providing the ability to strengthen network control for applications and give end users more choices but also monetize their 5G technology investments.”

The above statement is generally wrong, however, for the enterprise division of some CSPs with fixed and mobile networks there is a degree of truth. However, there is no quantification of the size of the opportunity, beyond the silliness of the McKinsey report. The developer angle is wrong in general. But ignore all the words, no specific example applications / use cases are given. Back during OneAPI I had a book full of example applications. Many were simple existing telecom services done better, UC (Unified Communications) and CC (Contact Center). Which came to pass, and telcos are now reselling those services, e.g. Vodafone and AT&T are reselling RingCentral.

5G is 100s Mbit/s, home broadband is 100s Mbit/s. Customers and developers simply do not care about controlling these fat pipes. Developers want transparent internet access, fast enough that services just works end to end. However, their experiences have shown congestion or poor performance can happen in many places, in the home network, on the device, in the cloud providers’ infrastructures, over the radio access (4 or 5G, most people do not know how they are connected, and phones have options to connect 4G when 5G is available to improve battery life). QoS is complex and only ever partial, rarely end to end, which generally makes it useless for developers. This is not new insight, enterprise divisions of fixed telcos have known this for decades.

5G APIs are simply niche to P5G (Private 5G) wanting to nail-up capacity for multiple UHDV (Ultra High Definition Video) channels, when in reality provisioning and statistical multiplexing has worked well in the past decade with 4G and will continue to work in the future with 5G. 5G APIs will be implemented by whoever’s selling the P5G solution to the airports, docks, open cast mines, etc. It will happen, but demand pull versus supply push will be hard to determine.

API standards do not equate to widespread adoption and monetization, years have been wasted defining standard APIs that developers do not want. Making it a standard is perverse as it makes the APIs inflexible. APIs need to adapt. Look at NaaS (Network as a Service), it’s a front-end portal, no API jabber, simply a way to configure the network resources for the enterprises’ needs across access, metro, cloud, and telecom services. Check out how Epsilon positions Infinity, a real deployed service for enterprises. 5G APIs are potentially a tiny increment on that existing market.

Developers generally do not care about orchestrated API access. This is a only necessary because of the multiple telcos, aggregators, cloud providers, and others trying to be involved. Hence the approach Epsilon takes with Infinity. Look at the complexity of the messaging in Singapore’s Paragon, the multiple brands and overlapping offers. Its a mess.

Remember Singapore is an island nation with a population density of 8.6k per square km (22.3k per sq mile). US is 37 people per square km. Singapore is a special situation. While 5G SA has achieved country wide deployment, it’s unlikely many other countries will follow suit, partially because there is no business case for 5G SA deployment.

Developers want easy to use APIs that solve a problem at a price point or business arrangement that works for their business. Given the uncertainty around 5GSA deployment globally, there’s simply no rationale for a developer. Rather a vendor deploying P5G could make an argument, however, provisioning and stat mux will remain cheaper.

Examining the scenarios discussed in the report:

• 1) “The Impasse, where CSPs continue to act as a “dumb pipe” with limited uptake of APIs.” 
  • This is BAU (Business As Usual), the pipe is fat and customers are happy. 5G APIs are irrelevant and do not solve problems developers face. Rather the problem being solved is for vendors needing telcos to spend money on them with little chance of return on investment.
• 2) “Open Networks, where regulators or another party steps in to spur innovation and influence API development standards, leading to distribution that’s heavily weighted toward third-party channels with limited value accruing to CSPs.”
  • The networks are already open, it’s called internet access, APIs within the network are not required.  Developers generally cope with 2 variants, Android and Apple, that’s it. An integrator will build something for the special case in Singapore as they are being paid for the work, not earning revenue from companies downloading their app.
• 3) “The CSP industry can shift the likely outcome and improve the addressable market by taking early decisive action to generate two more promising scenarios, where operators collaborate to set API standards and orchestrate API access, resulting in widespread adoption and monetization, with CSPs rewarded for their action.”
  • No on API standards, developers are not asking for such APIs. Ericsson wheels in a few people working on QoS APIs and pretends they’re developers, there’s always a few. But where is the money? It’s simply not there as the pipe is fat, 5G is not end to end for most enterprise applications, and 4G is good enough.

On the applications mentioned in the report, there are only 3: Face-to-face video, Gaming, Entertainment on the go. All of which are provided adequately today over 4G. For events especially outside broadcast there are a range of solutions that can include 5G, but that is niche, and keep an eye on web based innovations, see Broadcast Bridge from Dan Jenkins.

There simply is no driver for 5G SA, given 5G’s broad deployment we would have seen something. In my personal experience 5G is about twice as fast as 4G. It came for free with my new phone. Claims about poor network performance and people willing to pay in the report seem farcical as they are already paying for service and clearly the carrier has a coverage issue that the drive test did not expose.

I could continue ripping appart the tower of assumptions in this report, but that is very boring. Kearney you need a QA process, as this paper makes your organization look like a shill with a lack of understand on the reality of telecoms. As bad as McKinsey with its hundred of billions claim for 5G APIs. We’ve got to raise the quality bar on what consultants produce these days.

To the Telcos, run a Camara Review and build a point of view that is in interests of your shareholders and employees, not in the interests of your vendors / GSMA. The nonsense being published is an industry wide embarrassment.

AND check out the TADSummit Agenda, coming next week, you’ll see telecom and communication innovations that will impact your customers. We’re entering a new phase of programmable communications, where it gets embedded into other platforms.

And I’ll restate one more time, fixed broadband leads the way and its not into QoS.

Podcast 80: TADSummit Innovators, Sandro Gauci, Enable Security

Podcast Directory

Sandro Gauci, CEO of Enable Security, is a TADSummit regular, here are a few of his presentations.

• 2022. How to bring down your own RTC platform. Running DDoS simulations on your own. Slides and Video.
• 2021. The worst of enemies – let’s talk about DDoS and RTC
• 2020. Getting offensive: a different approach to RTC security.

I’m a regular reader of his monthly RTC Security newsletter, I consider it required reading for the industry. The breadth and depth of analysis are great, whether you’re after a quick review of the top RTC security issues this month, or to delve into the details of what is happening on the ground. The newsletter has you covered.

Enable Security provides cyber-security penetration testing across VoIP and WebRTC, as well as testing tools (SIPVicious), general consulting, and RTC security research.

For the bulk of the discussion Sandro reviewed 5 trends over the past 6 months, and covered in these slides.

The top 10 trends were:

• 1. Increasing focus on WebRTC vulnerabilities and security
• 2. Growing concern over VoIP and conferencing platform security
• 3. Rising importance of end-to-end encryption in communication
• platforms
• 4. Emerging threats from AI and machine learning in audio
• manipulation
• 5. Continued vulnerabilities in VoIP hardware and firmware
• 6. Increasing attention to STIR/SHAKEN implementation and its
• privacy implications
• 7. Growing importance of resilience in communication systems
• 8. Rising concerns about open relays and misconfigured SIP servers
• 9. Increasing focus on security in open-source VoIP and WebRTC
• projects
• 10. Growing importance of fuzzing and automated testing in RTC
• security

Sandro focused on 5 of them, well the last one is coming up in the July newsletter, as Sandro knew its on the topic I care about.

1. Increasing focus on WebRTC vulnerabilities and security. This means all browsers, so its reach is uniquely broad, the project is generally control by Google, so exposure of the vulnerabilities tends to be rather controlled.

Sandro did highlight some of their research work on “A Novel DoS Vulnerability affecting WebRTC Media Servers“. A critical denial-of-service (DoS) vulnerability has been identified in media servers that process WebRTC’s DTLS-SRTP, specifically in their handling of ClientHello messages. This vulnerability arises from a race condition between ICE and DTLS traffic and can be exploited to disrupt media sessions, compromising the availability of real-time communication services. Mitigations include filtering packets based on ICE-validated IP and port combinations. The article also indicates safe testing methods and strategies for detecting the attack.

2. Growing concern over VoIP and conferencing platform security. In one case the PSTN leg of a military conference was compromised. In another again using the PSTN leg pressing the # key enabled entry into a conference call. Likely # was an old operator call, but with everything now automated, it ended up being placed into a conference call.

There have also been multiple vulnerabilities in various VoIP phones and systems such as Mitel, Alcatel Lucent Enterprise, and Yealink. As the UCaaS market consolidates, the risks from all these VoIP phones will grow. Enterprises with a high exposure risk, e.g. banks or government, will likely need to act first.

3. Emerging threats from AI and machine learning in audio manipulation. Including Audio Jacking – using generative AI on live audio conversations; and Goldfactory/GoldKefu mobile Trojan makes use of the Agora SDK for voice and video calls. The risk with these is the ability to scale, its not limited by the number of bad actors, rather the reach of the trojan.

4, Growing importance of resilience in communication systems. An article from Bert Hubert, a well respected thinker in this area. It can be a cyber war, that can impact the economy of a country(ies). Like we just experiences with CrowdStrike. Bert reviews how fragile many emergency communications systems have become because of all the layers added. This reminded me of the TADSummit Keynote we had on Mindful Connections, from Sami Mäkeläinen .

5. We finished on Voice / SMS 2FA is hugely problematic, reviewing SMS and VoIP logs from Cisco Duo compromised, and Twilio’s Authy Incident.

Please remember to sign up to Sandro’s monthly RTC Security newsletter.

Juniper Research forecast SMS traffic will slump by 20 per cent between 2024 and 2029

Juniper Research forecast SMS traffic will slump by 20 per cent between 2024 and 2029 with mobile operators potentially facing a decline in revenue if they don’t alleviate fraud concerns.

I have some work coming out next week that explores the long history of A2P SMS shenanigans, and the ways we can resolve the issues. Simply, telcos must take control.

Juniper claims the drop is due to the rise of commercially available alternatives in the face of rising SMS termination fees and high levels of fraud.

OTT messaging will dominate traffic this year due to feature-rich solutions and cost-effective pricing.

I’m suspicious of some of these numbers, China is dominated by WeChat, so A2P SMS is relatively small.

I wonder if email is considered OTT messaging, perhaps IP messaging or non-PSTN messaging 😉

The Crapification of the PSTN

I did a podcast for Commio today. I’ll include the link once its published. Sorry, but I got into a bit of a rant on that podcast.

The crapification of the PSTN has never been this bad. We’re experiencing the greatest degradation in telecoms ever. Everyday I receive spam likely calls and spam SMS. Worse still they leave voice messages to waste my time further. Fraud and scams targeting the elderly (boomers) are causing them to lose their life savings and they are dying as a result.

Enterprises are forced to employ services to improve their rankings by a closed group of providers. But what choice do they have? Also multi channel is essential, yes, email is an option. People are no longer answering their phones. Throwing more companies at the problem is not the answer, I’m paying my carrier for PSTN services and they need to stand up and solve this directly.

Telcos have to take control of this situation, all the middlemen organizations they put in place are the cause of this mess, and the finger pointing has to stop. For stir-shaken implement it at the PSTN gateways, not just the VoIP gateways. Telcos claim to be Techco these days so use open source to implement stir-shaken at the PSTN gateways.

Messaging needs published rates and SMS governance to stop the games aggregators are playing. TCR – doesn’t work so dump that. Twilio / Syniverse are a monopoly, remove that monopoly and take the traffic directly. Fraud over SMS has brands moving back to email, its that bad!

Trust must be restored, but it can not be restored by the people who created / covered up the problems in the first place. Hence why SMS governance is critical combined with openness and harmonization of pricing. Hiding pricing leads to bad behaviors by aggregators.

Claims RCS will resolve the situation, because of Apple’s unclear adoption, ignore Apple’s iMessage strategy and RCS’s 16 years of development and many (6?) claimed and then failed launches. Hope it is not an option, specific, quantified, and direct action is the only way to stop the rot.

SMS governance, openness / harmonization of pricing, telcos taking control and removing the middle men (Messaging Monopolies).

The US cybersecurity agency CISA on Tuesday announced that it has added a recent Twilio Authy bug to its Known Exploited Vulnerabilities (KEV) catalog.

Tracked as CVE-2024-39891, the security defect is described as an information disclosure issue in the Twilio Authy API accessed by Authy Android before 25.1.0 and Authy iOS before 26.1.0, and resides in an unauthenticated endpoint leaking phone number data.

“Specifically, the endpoint accepted a stream of requests containing phone numbers, and responded with information about whether each phone number was registered with Authy. (Authy accounts were not compromised, however.),” a NIST advisory reads.

Twilio warned of this vulnerability on July 1, urging users to update to Authy Android version 25.1.0 and iOS App version 26.1.0.

“Twilio has detected that threat actors were able to identify data associated with Authy accounts, including phone numbers, due to an unauthenticated endpoint. We have taken action to secure this endpoint and no longer allow unauthenticated requests,” the company said.

Remember RingTones?

Remember the days of a new phone and downloading your fav ringtones. Given we no longer answer the phone as its likely yet another spam call, we no longer buy ringtones either, see diagram below.

People, Gossip, and Frivolous Stuff

Alok Kulkarni is now Principal Architect at GS Labs. We first met when he took part in TADHack in 2021 sponsored by Avaya.

• Second Place winning $4k
• Hack Name: Smart rescue, powered by Avaya fly monitor
• Team Name: Spaces Rescue Squad
• Members: Alok Kulkarni, Tejas Bramhecha, and Kalyani Bhate
• Description: To face any man-made or natural calamities like earthquake, flood, fire, COVID-19, etc. we want to showcase an idea of how Avaya products can play a vital role in rescuing and helping people in affected zones. Using this solution, we can make sure to reach out to everybody and help them to the best of our abilities. This solution uses spaces for the admin team to continuously monitor responses collated by telephony bot and using drone-spaces call we can remotely get help from specialists and do the damage assessment and get real-time information. Telnyx APIs can help us locate fake calls and Toolwire drill sessions can be used to aware people as to how to react in such situations.
• Resources Used: Avaya OneCloud CPaaS, Avaya Spaces, Google Dialogflow, Telnyx, Spaces Learning / Toolwire

Ilia Smolin is now a Sales Enablement Specialist at Intiaro. I’ve known Ilia since his time at Dzinga. They were a UCaaS, and had a neat little agent service, think mini CCaaS. I mentioned this at an industry event and was called a liar. Well, look at RingCentral today, Dzinga were early to market, and the industry was not ready for such discussions.

Mike Dauphinais is now a Program Manager at DT Services and Consulting. I’ve known Mike for about a decade, though his time at Voxbone and many of his hacks. Check out BURBUDY, its funny.

Amos Manasseh is now a partner at the Growth Institute at Mach49. I’ve known Amos for over one decade, since his time at Axiata. Amos came up recently with a DTW24 presentation where it appears Axiata were trying to reframe history. The reframing was to justify a global standards based approach to telecom APIs, which failed with OneAPI, and is failing with Camara and all the nonsense being created by paid consultants. See Kearney report review above.

Mark Callender has left the GSMA and is now VP, Show Content USA & EU, Money 20/20.

Dan Grossman is now an independent open for contracts and pro-bono research, analysis and writing. I’ve known Dan for a couple of decades, for example at the ATM Forum during his Motorola days, as well as many other standards bodies.

 Abraham Yassine is now Sales And Marketing Intern at Marriott Vacations Worldwide.

Chris Wiggin is now Enterprise Account Executive at ecoPortal.

You can sign up here to receive the CXTech News and Analysis by email or by my Substack.