XCell Security

When encryption
is not enough

Blog icon written by XCell Technologies
Calendar icon

Published on March 3, 2019

A revolutionary innovation: Multi-Layer Security Protocol – MLSP® by XCell Technologies
Real end-to-end encryption and protection

If you are either super important, super paranoid or a super spy, there are times when you need to be able to use a cell phone and not leave a trace or any chance to anyone to intercept your calls and text messages, including law enforcement and intelligence agencies.

Secure = encryption? Well, think again...

Nowadays, interception issue affects most of the people, even if they are not aware of it. Not to mention so called “off air GSM interception systems” or also known as “IMSI-catchers”, “GSM Interceptors” or “StingRays”, it has been known since 2014 that using the legacy SS7 (Signaling System No. 7) protocol SMS based traffic text messages can be easily intercepted by using diameter based networks independently of device or OS type. Signaling System No. 7 vulnerabilities are easy to be exploited even by hackers, being a 50-year old protocol that is probably part of a majority of cell phones and text messages in the world.
Generally speaking, most of aware users regarding cell phone interception by above technologies, believe that using encryption solutions will secure their calls and text messages. It is encryption a real solution? Let’s see…

Law enforcement, homeland security and other related actors have plenty of methods to intercept messages and read text content, even when using encryption. Ranging from SS7 exploit, encryption backdoors or intentionally weaken popular encryption algorithms to lawful hacking that circumvent encryption and hitech decryption technology, all are there at their fingertips.

Encryption does not protect your privacy. Not at all.

Recent headlines warn that the government now has greater authority to hack your coell phones, in and outside the US. Changes to federal criminal court procedures known as Rule 41 are to blame; they vastly expand how and whom the FBI can legally hack cell phones. But just like the NSA’s hacking operations, FBI hacking isn’t new. In fact, the bureau has a long history of surreptitiously hacking us, going back two decades.

Back-doors provided for law enforcement

Encryption back doors remain largely viewed as weakening everyone’s protections all the time for the sake of some people’s protections on rare occasions. As a result, workarounds like the FBI found are likely to be the most common approach going forward. Indeed, in recent years, law enforcement agencies have greatly expanded their hacking capabilities.
Many reputable encryption developers and companies have chosen to retain the ability to read and use their customers’ content, or perhaps they decided there is not a sufficient business case to add end-to-end encryption or user-controlled encryption. Their users’ encrypted content is more readily available to law enforcement because they hold the decryption keys. The same companies offer their services in a way that encryption does not preclude their ability to hand over the content to law enforcement in response to a warrant. Are those services as secure?

Lawful hacking

Most of national security agencies had been shown to have immense surveillance capabilities actively deployed on a mass scale, especially in those countries where the functions of law enforcement and national security overlapped. Beside encryption master-key and built-in back doors that provide law enforcement exceptional access to anyone secrets and privacy, they now have unprecedented access to information through open-source intelligence, collection of metadata, sophisticated traffic analysis tools and data analysis algorithms. Many local and international laws are mandating insecurity by requiring government access to all data and communications that permits lawful hacking (otherwise known as encryption circumvention).

Encryption vendors and law enforcement work together to solve access “problem”. One suggested fix is one way information sharing where vendors make law enforcement aware of unpatched exploits, allowing the government (and anyone else who discovers it) to use these vulnerabilities to gain access to communications and data. It’s a horrible suggestion – one that puts vendors in the liability line of fire and encourages continued weakening of device and software security.
Several individuals with backgrounds in security and systems have begun to explore possible technical mechanisms to provide government exceptional access.

XCrypt MLSP encrypted secure sms

XCell approach regarding SMS encryption and protection

XCell Technologies is really serious about mobile security, bringing you the most advanced SMS security solutions. Concerns about government mass surveillance and their ability to decrypt anything by using given master-keys, backdoors, lawful hacking or effective decryption solutions were the factors driving us to develop a brand new and 100% secure SMS communications which use not only strong military grade encryption but adding a new security layer by exploiting GSM network via MLSP®, to make sure there is no way to intercept text messages or metadata, even in encrypted mode. All above overleap existing commercial-encrypted apps, services, devices, and also law enforcement access to your sensitive info.
GSM provides by default only a basic range of security features to ensure adequate protection for both the operator and customer. Over the lifetime of a system threat and technology change, and so the security is periodically reviewed and changed here on XCell Technologies, and then applied on our products.
Taking advantage on GSM network architecture and SMS Transport Protocol, our SMS encryption technology is capable to send/receive encrypted and non-interceptable messages.
Our SMS encryption application called XCrypt use a groundbreaking multi-layer technology to protect SMS from being intercepted and decrypted. As a unique encryption application, beside strong military grade encryption, XCrypt use a brand new patented technology in order to send/receive encrypted messages: discrete GSM channels or Multi-Layer Security Protocol®. That will protect not just encrypted text messages but also metadata which is not encrypted.

XCrypt concept. An insight into techniques used for 100% secure text messages


  • “A-Party” phone is the sender phone which send encrypted messages via MLSP®.
  • “B-Party” phone is the receiver phone that will decrypt and display received message.
  • Plain text message: a standard text message that can be read by anyone. Can be intercepted and read with no effort.
  • Encrypted message: an encrypted text message that can be read only by using the right password. Can be easily intercepted in encrypted mode but cannot be read. A password is required in order to read the message.
  • Metadata: data about data. SMS metadata is not encrypted because is not contained by the encrypted text itself, but law enforcement agencies are collecting unencrypted metadata to characterize the encrypted data. SMS metadata contain data about sender, receiver, message encoding (UTF8, UnicodeX etc.), date/time and length.
  • Non-interceptable message: a text message (plain text or encrypted) which cannot be intercepted by any means.
  • Real end-to-end encryption: no Internet and 3rd party servers involved.
  • XCrypt: software application that use MLSP® in order to send/receive ultra-secure messages.

MLSP® (Multi-Layer Security Protocol) consist in:

1. Physical layer: encrypted text message.
The phone will encrypt text messages by using following protocols:

  • RSA
  • AES 256
  • Elliptic Curve (ECIES) 256
  • SHA256
  • Protected by ITSEC Evaluation level 3

2. Multi-layer routing and transport protocol. Encrypted SMS data is randomly segmented and distributed in bursts by Application Port Addressing Technology, via discrete GSM channels which usually are not “listened” by mobile interception systems (IMSI Catchers, GSM Interceptors or StingRays), both in air interface (UM Interface in terms of GSM networks) and Abis, A and C-G mobile network interfaces. This way, SMS data which is usually sent over GSM Layer 1 (and widely intercepted on Layer 1) will be sent by using a combination of GSM Layer 1 and GSM Layer 2 (LAPDm). By consequence, no mobile interception systems (as GSM Interceptors) and lawful interception systems (SS7 interception also known as network switch based interception or interception by the help of network operator) will be able to intercept the whole message but only a few bursts which are encrypted anyway.

3. Metadata protection. Regular SMS metadata is not saved in a separate file (called a metadata file). XCrypt separate metadata and the data it describes (SMS encrypted text), sending metadata file in bursts over the network, by the same Port Addressing technology. Metadata is of little value without the data file (SMS) it relates too. At the same time, metadata makes the data more usable and therefore, more valuable. An encrypted text message with separate metadata file will reveal nothing about SMS sender and receiver.

How does it work

XCrypt MLSP how does it work

1. Phone level

At phone level XCrypt use a technology called port directed SMS, which is widely implemented in J2ME MIDP on mobile devices. The concept is basically that when an user send an encrypted SMS message to “B-Party” phone, a particular port number will be specified along with encrypted message, so only the device which is “listening” on that particular port will be able to receive an encrypted message. When a message is received on a port that the application is listening on, the message gets directly routed to secure Inbox instead of going to the standard message Inbox.
XCrypt will locally encrypt text messages at military level, then by message segmentation and Port Addressing will send randomly splitted bursts (bit streams) along with certain port address data by adding redundant bits to information binary string, to “B-Party” phone. Along with encrypted split message, the application on “A-Party” phone will send Port Addressing data, which will trigger opening certain Port Address on “B-Party” phone. This way, encrypted message will go through, avoiding standard phone Inbox and arriving directly on secure Inbox.
All this steps are transparent on receiving (“B-Party”) phone, which also require user interaction which have to allow message to be routed to secure Inbox and decrypted by inserting the right password.
On “B-Party” phone, by port destination address, encrypted bursts will be selectively received, concatenated, decrypted and displayed only on “B-Party” phone which use the same XCrypt application that “listen” on certain receiving ports.
If on the “B-Party” (destination phone) is not also installed XCrypt app, then received message will not be delivered nor displayed by the phone (not even in encrypted/unreadable mode) due to Port Addressing technology which filter messages by port address.
When encrypting SMS, metadata file will be generated separately from text message and not as an integral part of the message as regular SMS do. Metadata file will be then truncated and sent in bursts over GSM network, by Port Addressing technology. This way no metadata can be intercepted by SS7 means.
At this level, handset vulnerability refer to forensic grade hardware and software that intend to extract system files and private data off the phone, including decrypted messages stored on XCrypt secure Inbox. XCell phones are protected against forensic procedures by USB volatile filters which does not permit any unauthorised USB connection, triggering motherboard self-nuke. Moreover, XCrypt run on Sandbox partition which is 100% encrypted and protected against file extraction by self-delete mechanism.

2. Um level

Um interface (the radio link between the cellular network and the subscriber handset) is the most vulnerable and exploited part of the GSM network by MItM attacks (IMSI Catchers, GSM Interceptors and StingRays), since no network operator help or target consent is needed. XCrypt will make use of GSM network architecture and SMS Transport Protocol in order to protect (already) encrypted messages to be intercepted even in encrypted mode. After encryption, the modulation signal has a carrier wave using GMSK (Gaussian Minimum Shift Keying) modulation. GMSK is a two-state modulation based on the frequency keying stroke.  
On Um interface XCrypt will use MLSP® technology: encrypted message bursts are not sent only on usual L1 SMS channels – SDCCH (Standalone Dedicated Control CHannel) signaling channels, but also on other available channels which are not subject of SMS interception, forcing Signaling Layer 2 (data link layer based on LAPDm protocol) for SMS Transport.
Since GSM Interceptors are “listening” only SDCCH physical channels in order to intercept text messages, will catch only a few encrypted bursts sent over SDCCH but not the whole encrypted message which is split and sent over multi-channel by MLSP® technology.
Same for metadata file: is sent over the network in bursts, separately from encrypted message body. No metadata extraction is possible at this level.

3. Core network level

The four-layer transport protocol stack of SMS (application, transfer, relay, and link) is used at this level and the transfer layer of this stack is the one which secure text message. GSM core network consist in Mobile switching center (MSC), Home location register (HLR), Authentication center (AuC), Visitor location register (VLR) and Equipment identity register (EIR), which are all vulnerable to network switch based interception, also known as SS7 interception or lawful interception. This kind of interception can be successfully performed only by law enforcement and homeland security agencies, by the help of network provider that allow monitoring hardware installation (SS7 boxes) at their core network based on Communications Assistance for Law Enforcement Act (CALEA). CALEA’s purpose is to enhance the ability of law enforcement agencies to conduct lawful interception of communication by requiring that telecommunications carriers and manufacturers of telecommunications equipment modify and design their equipment, facilities, and services to ensure that they have built-in capabilities for targeted surveillance, allowing federal agencies to selectively wiretap any telephone traffic. CALEA covers mass surveillance of communications rather than just tapping specific lines and not all CALEA-based access requires a warrant. Generally, lawful Interception implementation is similar to the implementation of conference call. While A and B are talking with each other, C can join the call and listen silently.

At this network level, the main security vulnerability consist in lawful interception. XCrypt is taking advantage on GSM core network, sending both encrypted and non-interceptable text messages by using MLSP® technology. Core network protocols cannot be enforced as Um interface can. Actually there is no need to manipulate those protocols and transfer layers as long as message bursts that transit this part of the mobile network can be logically concatenated (fit together) by Port Addressing and decrypted only by “BParty” phone which run the same XCrypt application and by knowing the right password. By consequence, no text messages can be entirely intercepted by a third party that use CALEA – lawful interception. A few encrypted SMS bursts which are eventually intercepted by SS7 cannot lead by any means to SMS interception. Thus no private data will be collected by this method, phone user privacy being preserved peer-to-peer from “A-Party” to “B-Party” phone.
Let’s face it: most of nowadays encryption solutions are taking care only on text itself, neglecting message metadata which are still sent on plain text over the network, due to network requirements. Law enforcement and other actors are taking advantage on this, collecting unencrypted metadata to characterize the encrypted data, metadata being this way a valuable source of information for them.
By using MLSP® technology on both Um and Core network levels, collecting unencrypted message metadata is not possible, thus no way to extract any additional info beside encrypted message.
It has long been said that it doesn’t matter how secure your organization, or personal information and assets, are if you connect them with third parties that are less secure. So take note: servers are third parties.

A real end-to-end encryption require no third parties involved on the way from “A-Party” to “B-Party” phone.

For maximum level of security and privacy, XCrypt does not require any Internet connection, third party servers or monthly subscriptions. All processes and protocols run locally on the phones (on Sandbox partition) providing this way not just a real end-to-end unbreakable encryption, but also non-interceptable messages by the reasons explained above.

Share This Article

Let’s keep in touch!

We’d love to keep you updated with our latest news and offers

Further articles

A smartphone using Protonmail

Attention Proton-Mail users!

We have to remind you of our approach when it comes to encryption: it is for average people to use and will only defend you against (some) hackers. It will not protect you at all against law enforcement, as you will read in this article.

A man using his cell phone and attacking an IMSI Catcher

X-ONE Stealth Phone

The first 4G stealth phone with an unprecedented feature: XTerminator which allow OTA attacks against IMSI Catchers. Read more


When encryption is not enough

There are times when you need to be able to use a mobile phone without anyone intercepting your calls and texts, including government agencies.