At Cape, we believe privacy and security shouldn’t be left up to blind trust. Traditional telecom systems often rely on outdated practices that expose users to significant risks, as highlighted by a 2012 incident reported by Krebs on Security. In that case, attackers socially engineered an AT&T employee to enable voicemail forwarding, intercepting two-factor authentication (2FA) codes sent via voicemail. This breach granted unauthorized access to sensitive accounts, illustrating how human intervention and unencrypted voicemail systems can become critical weak points.

Unlike traditional telcos, which often avoid encryption due to added complexity, we embrace the challenge to ensure your communications remain private and secure. We’ve designed our network with privacy at its core, eliminating vulnerabilities and encrypting as many workflows, internal and external, as possible—including voicemail. Our Encrypted Voicemail feature ensures that your messages are secure from attackers, third parties, and even us.

Encrypted Voicemail

Cape encrypts all voicemails at rest, and they can only be decrypted by our subscribers—a level of voicemail protection that only Cape offers. We leverage asymmetric encryption—similar to what we use to protect you from SIM swaps—ensuring that your voicemails can only be decrypted by the private key stored on your device.

This means that only you can listen to your voicemails. Even in the unlikely event of a breach or if authorities subpoenaed your voicemail, they would only gain access to encrypted voicemail files. Without the private key stored on your device, those files remain indecipherable.

Encrypted Voicemail is exclusively accessible within the Cape app. Your native iOS or Android voicemail app cannot decrypt these files.

How It Works

Here’s how Cape’s Encrypted Voicemail keeps your messages secure:

1. 1. A caller places a call to a Cape subscriber, which is routed through Cape's Mobile Core.
2. 1. The Cape Subscriber is unavailable (hangs up or does not answer).
3. 1. The call is rerouted to the Voicemail Server (VMS).
4. 1. The caller leaves a voicemail message.
5. 1. Within the VMS, the voicemail audio is encrypted.
6. 1. The encrypted audio and sensitive metadata are securely stored in cloud storage with encryption at rest.
7. 1. When the Cape Subscriber becomes available, their phone retrieves the encrypted voicemail from the VMS and decrypts the voicemail.
8. 1. Before storing it locally, the voicemail is re-encrypted using a device-specific key.

Our Encryption Methodology

We use modern cryptography to safeguard your data. On your device, an RSA key pair is deterministically generated based on your 24-word passphrase.

The server encrypts voicemail content using an AES key, which is then encrypted with the subscriber's RSA public key. The plaintext AES key is discarded immediately after encryption, ensuring that the server cannot access the AES key to decrypt the audio. This design means that only your device, with its RSA private key, can decrypt the AES key and access the voicemail content.

If you lose your device, your 24-word passphrase allows you to regenerate your RSA key pair on a new device, ensuring that you maintain access to your voicemails without compromising security. The keys are securely stored in a trusted environment on your device, adding another layer of protection.

Metadata Encryption

In his bestselling book Means of Control, then-Wall Street Journal cybersecurity reporter Byron Tau highlights how metadata—though not protected under the Fourth Amendment—can reveal an awful lot about you. Metadata, such as who is calling whom, when, and for how long, can reveal enormous amounts about a person’s personal life.

To address this, Cape encrypts sensitive metadata such as the MSISDN (i.e., the phone number) of anyone leaving you a voicemail. This ensures that beyond the content of your voicemail, the identity of your callers is also protected.

By encrypting both content and metadata, Cape helps safeguard your privacy from every angle.

Cape’s Encrypted Voicemail feature represents a new standard in secure communication. By encrypting voicemails and ensuring that no employee or support agent can access or forward your messages, we eliminate vulnerabilities that traditional telecom providers often overlook.

At Cape, we’ve designed every feature with one goal in mind: putting you in full control of your communications. Switch to Cape, where your messages are yours and yours alone.