The telecom industry is essentially a massive, private internet. It interconnects globally through private exchanges and fiber connections in ways that are rarely visible or accessible to the public. When you finally peek underneath the hood of these networks, you realize the entire architecture is held together with duct tape and bubble gum. It’s a miracle that it functions at all.
This outdated system relies heavily on implicit trust—phones blindly trust the networks, and networks blindly trust each other. This inherent trust makes your mobile connection highly vulnerable to tracking and exploitation, sometimes by design and sometimes by unintended consequences.
Here is the technical reality of what happens during your cellular connection.
The Application Layer vs. The Cellular Layer
Many privacy-conscious users run system-wide VPNs and use over-the-top encrypted apps like Signal, but these tools only protect data at the application layer. The underlying cellular side is still left wide open.
Most modern phones are "voice-centric" devices. Even if you never make a traditional phone call and only use data, your phone will automatically attempt to connect to a voice channel and send a registration message. That underlying registration leaks identifier information like your subscriber ID, or IMSI, across the network, before you ever open an application.
The Anatomy of a Call on the Control Plane
Establishing a connection requires a massive exchange of metadata.
In telecom, we distinguish between the “user plane” and the “control plane.” The user plane would be familiar to you–it carries the voice calls, SMS, and data traffic that you interact with. The control plane, on the other hand, is invisible but is what allows you to roam on a network, set up and tear down a call, and more. It’s here where a lot of metadata is exchanged.
When you power on your device, your SIM card instructs the phone to scan for networks based on pre-programmed preference lists. In 4G and 5G environments, the device and the network must mutually authenticate each other. They establish a security context using key material that is pre-distributed on the SIM card, and all of this coordination happens entirely on the control plane.
In 4G, the protocol has a bootstrapping problem: the first time you connect, the protocol forces your phone to send your IMSI in the clear. This flaw is how physical IMSI catchers can force your device to broadcast its identity.
The network then pulls your device ID, or IMEI, to check if the device is stolen or restricted, and you negotiate device capabilities. If you make a Voice over LTE (VoLTE) or 5G Voice over New Radio (VoNR) call, your phone also must register to a SIP server on the control plane prior to registering your intent to make a phone call.
Your phone constantly broadcasts its capabilities, such as supported bands and 4G/5G compatibility. Networks can use this capability data, alongside user agent strings revealing your OS or apps, to fingerprint your device entirely separately from your SIM card.
The Physics of Location Tracking
Location tracking does not require GPS or Wi-Fi; it is built into the physics of maintaining a cellular connection.
As you physically move, your session state hands off from tower A to tower B. Networks use precise calculations to measure the time delay of a signal traveling from your device to the tower, combined with relative signal strength, to coordinate your connection. With infrastructure shifting heavily toward small cell radios designed to cover areas as precise as a stadium entrance or a city block, cellular triangulation can now pinpoint your location within a handful of meters.
Signaling Attacks
All of these metadata exchanged in the control plane is available to commercial surveillance vendors. Attackers can exploit the implicit trust between telecom networks to request your phone’s location, and abuse roaming protocols to route your calls and SMS to them.
Call Data Records
The locations and unique identifiers described above also get collected and recorded every time you use voice, messaging, or data in files called Call Data Records (CDRs). CDRs are used for billing and accountability, and contain identifiers like your IMSI and IMEI (the device ID), alongside your location data. Traditional carriers often store these records for years, meaning someone can go back in time and reconstruct your precise movements.
Fixing the Duct Tape: Transforming Telco into Modern Software
Most Mobile Virtual Network Operators (MVNOs) are simply sales platforms that lease infrastructure from major carriers and slap a new logo on it. The underlying hardware, software, and vulnerabilities remain exactly the same.
At Cape, we chose to play on hard mode. We built our own cloud-based mobile core from scratch. Using AWS for cloud infrastructure and Stripe for private payment tokenization might sound run-of-the-mill to standard software engineers, but treating a cellular network like a modern software stack is unprecedented in telecom.
By owning the core network, we dictate the rules:
- Aggressive Data Minimization: We dictate the retention period on CDRs, actively removing unnecessary identifiers and deleting the records after just 24 hours.
- Dynamic IMSI Rotation: An IMSI is just a 15-digit number programmed on your SIM. Because we control the core network, we allow our users to transform this traditionally static identifier into an ephemeral one, rotating it automatically every 24 hours or on-demand.
- Advanced Signaling Protection: Because we own the signaling plane operating on the Diameter protocol, we actively develop rules above industry standards. We allow users to set thresholds, such as blocking incoming roaming requests from foreign countries.
- Last-Mile Encryption: To bypass standard telephony flaws, we take certain SMS messages and send them via encrypted comms directly to your device once they hit our network.
- Cryptographic SIM Protection: SIM swaps traditionally happen through social engineering customer support reps. We replaced this fallible process with Public Key Infrastructure. During onboarding, you receive a 24-word recovery phrase, acting like a crypto wallet private key. Without that cryptographic proof, unauthorized SIM changes are impossible.
We decided from a design perspective that you can’t just overlay extra privacy and security mitigations atop a compromised network. We’re completely rebuilding the telecom mobile core with modern software engineering and minimal trust principles.
If you’d like to join us, please check out our Careers page.
See David Dunn's full deep dive here.
