SMS messages are not end-to-end encrypted, yet we use them to receive One-Time Passwords (OTPs) for our most sensitive accounts—banks, social media, and more. That’s because nothing beats SMS in terms of convenience, and many services will only allow OTPs to be sent via SMS.
This leaves accounts vulnerable to a range of threats:
- SIM swaps are used by attackers to steal your phone number, so that they can receive your OTPs.
- SS7 or signaling attacks leverage compromised networks to convince your phone to route your SMS to an attacker.
- Rogue base stations impersonating legitimate cellular towers can trick a phone into connecting with it, and thereby be able to intercept SMS and MMS. Some IMSI catchers can force a downgrade to 2G, which is less secure.
- Legitimate, certified telecom base stations can be compromised by attackers to intercept your SMS.
- In 2025, Korean authorities disclosed a nearly “undetectable” compromise of femtocells, basically mini-base stations, that allowed interception of SMS and the hacking of personal financial accounts. There are at least 86,108 femtocells worldwide and their vulnerabilities had been known since 2012.
- Legitimate, certified telecom base stations can be compromised by attackers to intercept your SMS.
- A phone compromised by malware may give an attacker access to SMS.
- VOIP apps can also be compromised by malware and yield access to SMS.
Some of the threats listed above are directly mitigated by SIM Swap Protection, Identifier Rotation (which changes your IMSI), and Network Lock (which defends against signaling attacks).
Introducing Last-Mile Encrypted Texting
We’re pleased to now add middle-to-end encrypted SMS/MMS to layer on greater defense-in-depth, available in the Cape app as an Experimental Feature for our iPhone users!
End-to-end encrypted SMS isn’t possible, because the nature of SMS requires it to be decrypted in order to interoperate with other carriers. However, when you enable Last-Mile Encrypted Texting, we will encrypt all your SMS or MMS messages upon receipt and deliver them to you securely through the Cape app. (This will not impact any iMessage chats as those are already end-to-end encrypted.) Even if your SMS messages were intercepted somewhere between Cape and your phone, they're unreadable without the private key stored on your device.
Furthermore, when Last-Mile Encrypted Texting is enabled, our physical infrastructure partners who operate cell towers cannot see or log your SMS and MMS messages. We also hide key metadata via SIP encryption (for all devices that support it), which obscures the information shared to set up the delivery of your SMS or MMS. Therefore, infrastructure partners would not be able to scan SIP traffic to obtain your device ID (known as the “IMEI”) or to see the phone number to or from which you are sending or receiving a text. And finally, with this feature you can optionally set your messages to auto-delete after 1, 7, or 30 days.
How to get started
On January 27th, 2026, Cape exited our beta and launched several new features, including Secondary Numbers, Secure Global Roaming, and Identifier Rotation (for iPhone & Pixel). Last-Mile Encrypted Texting is coming soon to iPhone. For our other new features, you can find access instructions here.
