Voice recording image

XCell Security

Voice call encryption: does really protect your privacy?

Blog icon written by XCell Technologies
Calendar icon

Published on April 06, 2021

“If encryption made any difference, they wouldn’t let us use it”, said someone.

Encrypted calls are protecting you from the ones that don’t want to (or cannot) intercept your phone calls, and does not protect you at all against the ones that can intercept your calls – law enforcement, homeland security and intelligence agencies. Make sense to you? If not, please read below.

Most people think that call encryption is the Holly Grail of secure communications, being also a mainstream when it comes to software development for mobile security. Why is that? Because of 007 movies? Not at all. Because is the only product you can find on nowadays security overcrowded market. From hardware devices to sophisticated software applications, all claim that encrypting your mobile voice calls is the best you can get and there are no other trustworthy solutions. Unfortunately encrypted calls does not offer real security when you are targeted not just by (abusive or not) law enforcement, homeland security or intelligence agencies, but worst, even when you are a target for a skilled hacker.

You don’t have to trust us. Just google for voice call encryption hack and tons of articles are available at a glance.

For those of you that use voice encryption products on mobile phones the last thing you would expect is for it to be easily decrypted and intercepted. You may have shelled out good coin for your application and rely upon it for your intellectual security, but what if that security was not as tight as you had imagined, what if a readily available wiretapping utility attainable by anyone, and a simple Trojan slipped on to your device could compromise all of your calls?

Back in 2010 blogger, hacker and IT security expert Notrax has done just that. For his own safety we will not reveal his name, however, Notrax has discovered that 12 commercially available mobile voice encryption products can be intercepted and compromised using a little ingenuity and creativity as he has carefully detailed on his website.
He tested 15 voice encryption products in total, 12 of them were “worthless”. It’s easy to take the software at face value when it “tells you” that the call is secured. But how does someone actually go about being sure that it is secured? Notrax did some digging and discovered he could break in to almost all of them in under 30 minutes.

Secure means that Notrax did not manage to crack it. It does not mean that someone else would not be able to crack it.

These calls can be tapped by anyone that has basic technical skills or the money to back up such an endeavor. “Statistics show Government agencies on average conduct 50,000 legal wiretaps per year (legal= those where a court order is required), (Let’s not forget Echelon) another 150,000 phones are illegally tapped by private detectives, spouses and boyfriends and girlfriends trying to catch a potential cheater. Another estimate shows up to 100,000 phones are wiretapped by companies and private industry in some form of industrial espionage. It is happening and it is a big business.”

NoTrax encrypted voice call crack

SnapCell was safe, it’s a private encryption device that snaps on to your mobile, they claim to protect your mobile voice, fax and data communications from wiretapping, eavesdropping and line interference. SnapCell’s website has been offline since January 21st for unknown reasons. Click here for the webchiev.
If you are using one of the above voice encryption technologies, you may want to be on the lookout for a new solution, as XCell Stealth Phones. Although these applications cracked are not entirely secure, it would take much effort to bypass them, like having the attacker be able to load software or a trojan on your phone without you knowing. It’s similar to a credit card, so as long as you keep it with you in a secure place you should be fine for the most part.

Think that LTE mobile networks are secure? Well, think twice: hackers decrypt VoLTE encryption to spy on people calls. More here.

More cons regarding voice encryption

Though using of encryption to protect your privacy might be the prudent choice, the method has its own disadvantages:

  • Because a cell phone (no matter brand, OS, ram or chipset) does not have enough computation capabilities to encrypt/decrypt a phone call locally, voice encryption take place on 3rd party servers. That means your voice encryption app that you just installed on your “secure” smartphone act like a link to encryption server. This way, only by using data connection (WIFI, etc.) and stepping out on phone outer world you can use such application. The problem is that a server is actually someone else computer. You can’t find out who is really hiding behind that servers. Some manufacturers of cryptographic equipment have a track record of hidden cooperation with intelligence agencies and interested private companies. Some of them are not even using publicly scrutinized and standardized crypto algorithms (like Diffie-Hellman, SHA256, AES and Towfish), but “proprietary” encryption methods that are not available for public evaluation. Several “proprietary” crypto-algorithms that were not subject to public review have been shown to be easily breakable in the past, like the COMP128 algorithm that is in use in many GSM networks for authentication, so the “proprietary crypto” approach has to be regarded as very risky. In the end of the day that means you have no real control on your voice calls.
  • Introducing a back door into a crypto system does not even require active cooperation of the manufacturer of the equipment or software. All it takes is one bribed programmer to compromise an entire product.
  • You never know if encryption solution you use is indeed trustworthy and there is no reliable way to check it. Most of the encryption applications developers are not making public the source code. There can be (and most of the time there are) back doors used by law enforcement agencies. Sure, you can find source code for some encryption apps, which are made available for public by the developer itself. Unless you are not a cryptographer or cryptanalyst, there is no way for you average Joe, to find out if some security flaws affect your encryption app.

There is a master key for all encryption systems

Open sesame of encryption solutions

Will you use an encryption app that have servers located in let’s say… North Korea? Probably not, but you have to reconsider your opinion. Shortly saying, the more consolidated a democracy is, the easier is for law enforcement to get access to encryption servers, based on a simple warrant. All that because consolidated democracy countries know what we call the rule of law. Since encryption apps are not developed out of this planet and all encryption servers reside in some county, Govt and related institutions have a simple tool called judge warrant which will instantly “open” any “encrypted” server used for so called “secure” communication. Yes, its a matter of time. But in the end they will get a plain text or plain voice copy. Not to mention that NSA and other similar actors have tools and solutions that effectively circumvent any encryption apps, used nowadays to find out in real time what they are looking for.

Using voice call encryption might make you look suspicious and attract unwanted attention on you, exactly from the ones you are trying to hide from. Its like a ringing bell attached on your tail. Have a wild guess on what they will do in case the you use an encrypted cell phone. For sure they will use some other ways to get the info they need. They will not wait to find some security flaws in your crypto app, they will not attempt even deciphering. They will simply bug your home, office and vehicle, will spy on your computer, will intercept your mail and will use covert human intelligence sources (HUMINT) and whatever it takes to obtain relevant information about you and your activities. They can easily bypass the communication protection provided by the encrypted phones by simply collecting relevant information from other sources. Simple as that. Yes, its not on real time. But can be very close to that.

If you are targeted by an intelligence agency, encrypting your mobile communications does not mean that you are 100% protected against eavesdropping. Think about that: will they drop you just because you use encrypted communication? No, for sure.. Being a challenge for them, will find another ways to get the information they need. Sure, for a short period of time your secrets will remain… secret. But any decent agency will find at any time security breaches, gathering info they need about you, by any means.
Actually by encrypting your phone conversations, you are telling them that you have something important to hide and you invite agencies to use other ways to gather intelligence.

When using encryption over standard mobile network voice channels (not via data connection) like that encryption devices attached to your cell phone, that encrypted call is not so… encrypted as you think. Yes, will defend against call interception performed by spyware apps installed on your phone, because phone microphone is not used during encrypted call sessions. But even if you use such a device, the GSM operator or the entity that operates a GSM interceptor can find out pretty much information such as:

  • Both phone numbers involved in conversation.
  • Conversation length, time stamped.
  • Your (phone) location at the moment of call.
  • Your geo-location at every moment, by some simple and effective triangulation techniques, based on your phone IMEI that cannot be hided by any encryption app. Once you power up your crypto phone, IMEI and IMSI (if there is inserted a SIM card) will be sent out to network, for connection. No need to make any call or send any SMS. This is the way that all cell phones work, including your crypto phone.​

Other crypto phone field proven weaknesses:

  • Modern GSM interceptors can selectively and temporarily block any cell phone within its range based on IMEI and/or IMSI values, making that particular crypto phone unavailable for use, for as long as they want. This happen when a crypto phone uses data connection in order to make encrypted calls.
  • It is well known that cell voice encryption need high speed internet connection. Many modern GSM interceptors can downgrade your crypto phone connection from 3G/4G to 2G, by simply jamming 3G/4G uplink frequencies, which is a standard procedure. By doing that, crypto phones that use data connections will fail and become useless.

Not even notorious encrypted cell phones are immune to this attack. Few years ago, an average Joe posted on YouTube a short movie demonstrating how a well known app used for enterprise encrypted communications – GoldLock – can be defeated by a cheap commercial grade spy app called FlexiSpy. Because he had the phone in his hands with GoldLock already installed on, he installed also FlexySpy on the same cell phone. He started an encrypted phone call with another GoldLock phone. Entire conversation was recorded by FlexySpy in clear, just because FlexiSpy collect audio straight from the microphone, way before GoldLock proceed to voice encryption. Then, when conversation finished, was automatically sent by FlexiSpy via WIFI or data connection on a server where could be listened from user personal account. Simple, efficient and embarrassing for a top notch encryption application. You can do whenever you want the same test.
By some reasons, the video was removed from YouTube so we cannot post a link. Also since then, no more free trial apps are available from GoldLock, avoiding other similar situations. However, that does not make GoldLock less effective for private users, being by far one of the most secure communication application.
And yes, the same can happen with your “secure” cell phone.

This is why voice call encryption is a short time solution for secure communications. In fact, being predictable is one of the worst choice on intelligence battlefield. And using a crypto phone means that you are more than predictable.
When using any voice encryption solution (software or hardware), you will never know when actually your cell phone is intercepted, and by consequence you will never know when you are in real danger. Instead of crypto phones blind protection, it is better to know when someone attempt to tap your calls and when they are trying to locate you. Then you can act advisedly, taking the right decisions and even influencing them by different deception techniques. Here comes XCell Stealth Phones, which brings you the best of both worlds: interception detection and interception blocking. Detecting interception in real time and on the right time is really something else than using blind encryption, an advantage that is used by professionals against… professionals.

Let’s keep in touch!

We’d love to keep you updated with our latest news and offers

Further articles


Anti-NSO Pegasus Spyware

A malware vendor has set up a fake website claiming to be from Amnesty International, offering gullible users software that purports to protect them from the NSO Group’s Pegasus malware. In reality it is a Remote Access Trojan (RAT).


Cell phones that can’t be tracked?

The ability to hide your current location by showing your location elsewhere. Learn the difference between the real thing and unnecessary VPN apps. Find out more