According to a new study, pushing the mute button on popular video conferencing applications (VCA) does not always operate as expected, with apps listening in on your microphone.
In the software under investigation, pressing mute does not prevent audio from being sent to the applications’ servers on a continuous or periodic basis.
Users have a poor grasp of how the mute system works as a result of this activity not being disclosed in linked privacy regulations, erroneously supposing that audio input is cut when they engage it.
His misperception is evident in the study’s first step, which involved polling 223 VCA users about their expectations while clicking the mute button.
When the mute option is activated, the majority of respondents (77.5%) thought it unacceptable for applications to continue to access the microphone and possibly capture data.
A team of academics from the University of Wisconsin-Madison and Loyola University in Chicago conducted the investigation and published their findings in a publication.
When the mute button isn’t actually muted
The researchers conducted a full runtime binary analysis of chosen applications as part of the study to establish what kind of data each app gathers and whether that data poses a privacy concern.
Zoom, Slack, MS Teams/Skype, Google Meet, Cisco Webex, BlueJeans, WhereBy, GoToMeeting, Jitsi Meet, and Discord were the apps assessed in this portion of the study.
The researchers followed raw audio from the applications through the underlying OS’s audio driver, and then to the network. This way, they’d be able to figure out what happens when a user pushes the mute button.
Except for web clients that employed the browser’s software mute option, they discovered that regardless of the mute status, all programs periodically gathered audio data.
In all other circumstances, the applications randomly sample audio for a variety of functional or unexplained reasons.
Even while in silent mode, Zoom, the world’s most popular video conferencing tool, was discovered to actively detect if the user is chatting.
According to the study, Cisco Webex was the greatest offender, since it continued to collect raw audio data from the user’s microphone and communicated it to the vendor’s servers in the same manner as when it was unmuted.
The study’s technical paper states, “Our findings imply that, contrary to the declaration in the privacy policy, Webex monitors, gathers, analyzes, and distributes audio-derived data with its servers when the user is muted.”
“We began a responsible disclosure with Cisco regarding our findings to alert them of the outcomes of our inquiry. Their Webex technical team and Privacy team are currently working on resolving this vulnerability as of February 2022.”
Is there a bigger security issue here?
Even if the issue of misleading user privacy expectations is ignored, this conduct raises a number of security problems.
Even when applications capture minimal audio data while muted, the researchers discovered that using a basic machine learning algorithm, it’s easy to identify what the user is doing 82 percent of the time.
That refers to broad activity categories such as keyboarding, cooking, eating, listening to music, vacuuming, and so on.
Even if the vendors’ servers are safe, data connections are encrypted, and their personnel follow stringent anti-abuse policies, a man-in-the-middle assault might expose the target in an unanticipated way.
VCAs are used by high-ranking business executives, members of national security boards, and country-leading politicians, thus data breaches when silence is on may be disastrous.
What options do you have?
To begin, read the privacy policy to learn more about how your data is handled and the risks associated with using a certain software product.
Second, if your microphone is attached to your computer by a USB or jack cable, unhook it when it is muted.
Finally, you may utilize your OS’s audio control settings to mute your microphone’s input channel, resulting in zero volume audio for any programs.
For most users, these are all inconvenient measures, but guaranteeing complete anonymity is definitely worth the extra work in mission-critical situations.
15th April Update – On the report’s findings, a spokeswoman for Cisco Webex provided Bleeping Computer the following statement:
Cisco is aware of this information and appreciates the researchers’ alerting us to their findings.
The “mute notification” function on Webex uses microphone telemetry data to inform users that they are muted.
Cisco takes product security extremely seriously, and this isn’t a vulnerability in Webex.
Cisco updated the functionality in January 2022 so that microphone telemetry data was no longer transmitted.
