Pressing the mute button on popular video conferencing (VCA) apps may not work the way you think, with apps still listening on your microphone, a new study shows.
Specifically, in the software studied, pressing mute does not prevent audio from being transmitted to the applications’ servers, either continuously or periodically.
Since this activity is not documented in the associated privacy policies, users have a poor understanding of how the mute system works, mistakenly assuming that audio input is muted when they activate it.
This misunderstanding is reflected in the first phase of the study, which revolves around a survey of 223 VCA users about their expectations when pressing mute.
Most respondents (77.5%) found it unacceptable that apps continue to access the microphone and possibly collect data when mute is active.
The study was conducted by a team of researchers from the University of Wisconsin-Madison and Loyola University Chicago, who published an article about their findings.
When mute isn’t really mute
As part of the study, researchers performed an in-depth runtime binary analysis of selected apps to determine what type of data each app collects and whether that data poses a privacy risk.
The applications tested in this phase of the study were Zoom, Slack, MS Teams/Skype, Google Meet, Cisco Webex, BlueJeans, WhereBy, GoToMeeting, Jitsi Meet and Discord.
The team traced the raw audio transmitted from the applications to the underlying operating system’s audio driver, and possibly to the network. This way they could determine what changes actually happened when a user hits mute.
They found that regardless of mute status, all applications occasionally collected audio data, except for web clients that used the browser software’s mute function.
In all other cases, applications sample audio intermittently for various functional or unclear reasons.
Zoom, probably the most popular video conferencing app in the world, has been shown to be able to actively track whether the user is talking even when in silent mode.
According to the study, the worst case was Cisco Webex, which continued to receive raw audio data from the user’s microphone and transmitted it to the provider’s servers in exactly the same way as it did when activated.
“To inform Cisco of the results of our investigation, we have opened a responsible disclosure with Cisco regarding our findings. As of February 2022, their Webex engineering team and privacy team are actively working to resolve this issue.”
A bigger security issue?
Even if the aspect of users’ false expectations of privacy is left aside, several security issues arise from this behavior.
Even for apps that collect limited audio data when turned off, researchers found that it’s possible to use that data to decipher what the user is doing 82% of the time, using a simple algorithm. machine learning.
This concerns the rough classification of activities such as typing, cooking, eating, listening to music, vacuuming, etc.
Even if providers secure their servers, encrypt data transmissions, and their employees follow strict anti-abuse agreements, a man-in-the-middle attack can result in unexpected exposure for the target.
Remember that VCAs are used by high-ranking corporate executives, members of national security councils, and high-profile politicians, so data leaks when mute mode is active can be very damaging. .
What can you do?
Second, if your microphone is connected to your computer via a USB or jack cable, you might as well unplug it when it’s muted.
Third, you can use your operating system’s audio control settings to disable your microphone’s input channel so that all applications receive audio at zero volume.
These are all tedious steps for most users, but for critical cases, ensuring ultimate privacy is well worth the extra effort.
Update April 15 – A Cisco Webex spokesperson sent Bleeping Computer the following statement of the report’s findings:
Cisco is aware of this report and thanks the researchers for informing us of their research.
Webex uses microphone telemetry data to notify a user that they are muted, called the “mute notification” feature.
Cisco takes the security of its products very seriously, and it is not a vulnerability in Webex.