Boffins at two U.S. universities have found that muting popular native video conferencing apps cannot disable device microphones – and that these apps have the ability to access audio data when turned off, or actually do.
The study is described in a paper entitled “Are You Really Muted ?: A Privacy Analysis of Mute Buttons in Video Conferencing Apps,” [PDF] by Yucheng Yang (University of Wisconsin-Madison), Jack West (Loyola University Chicago), George K. Thiruvathukal (Loyola University Chicago), Neil Klingensmith (Loyola University Chicago) and Kassem Fawaz (University of Wisconsin-Madison).
The paper is scheduled to be presented at the Privacy Enhancing Technologies Symposium in July.
The authors looked at ten top video conferencing apps (VCAs) and found that the mute buttons presented by native apps cannot disable the microphone in the way that the operating system’s microphone interfaces allow. Web app-based mute buttons, which rely on browser-based or WebRTC controls, turned off the microphone properly.
The problem, academics say, is that video and audio signals are not handled in a consistent manner. In operating systems such as macOS and Windows, disabling the camera in an app depends on an operating system level control that turns off the camera completely and provides visual confirmation that the camera is inactive in the absence of a flashing light.
The software-based mute buttons, they say, are app-dependent and rarely provide a visible indicator when the paired microphone is recording sound. While control-level controls via control panels can disable microphones – a problem that smart speaker hardware has solved with a physical mute button – app-based mute buttons in built-in apps do not behave as most people expect.
One app sends audio statistics to its telemetry servers while the app is turned off
“We find fragmented microphone data management policies among VCAs – some continuously monitor microphone input under mute, and others do so on a regular basis,” the authors explain in their paper. “One app transmits audio statistics to its telemetry servers while the app is turned off.”
Among the apps examined – Zoom (Enterprise), Slack, Microsoft Teams / Skype, Cisco Webex, Google Meet, BlueJeans, WhereBy, GoToMeeting, Jitsi Meet and Discord – most presented only limited or theoretical privacy issues.
The researchers found that all of these apps had the ability to record sound when the microphone is turned off, but most did not take advantage of this option. One, however, turned out to take measurements from audio signals, even when the microphone was supposedly off.
“We discovered that all apps in our study could actively query (i.e., download raw audio) the microphone when the user is turned off,” the newspaper says. “Interestingly, we found in both Windows and macOS that Cisco Webex queries on the microphone regardless of the status of the mute button.”
They found that Webex, every minute or so, sends network packets “containing audio-derived telemetry data to its servers, even when the microphone is turned off.”
Not sound frequency – but volume
This telemetry data is not recorded audio, but an audio-derived value corresponding to the volume level of background activities. Nevertheless, the data proved sufficient for the researchers to construct an 82 percent accurate background activity classifier to analyze the transmission and derive the probable activity among six possibilities – e.g. cooking, cleaning, writing, etc. – in the room where the app is active.
Even worse from a security standpoint, while other apps encrypted their outgoing data stream before sending it to the operating system socket interface, Webex did not.
Rogue ex-Cisco employee paralyzed by Webex conferences sentenced to two years in prison in the United States
Kassem Fawaz, assistant professor of electrical and computer engineering at the University of Wisconsin-Madison, told The register in an email, “We informed Cisco of our results back in January, and they promised to investigate.”
Cisco told The register that it changed Webex after the researchers made contact so that it no longer transmits microphone telemetry data.
“Cisco is aware of this report and thanks the researchers for notifying us of their research,” a Cisco spokesman said. “Webex uses microphone telemetry data to tell a user that they are turned off, called the ‘mute notification’ feature. Cisco takes the security of its products very seriously, and this is not a vulnerability in Webex.” ®