The ‘Mute’ button in conference apps may not turn off your microphone

A new study shows that pressing the mute button on popular video conferencing (VCA) apps may not work as you think it should, with apps still listening on your microphone.

More specifically, in the software studied, a mute press does not prevent audio from being transmitted to the app’s servers, either continuously or periodically.

Because of this activity, which is not documented in related privacy policies, users have a poor understanding of how the mute system works, mistakenly assuming that audio input is interrupted when they activate it.

This misconception is reflected in the first phase of the study, which is about surveying 223 VCA users about their expectations when pressing mute.

Most (77.5%) respondents found it unacceptable that apps continue to access the microphone and possibly collect data when the mute mode is active.

The study was conducted by a team of researchers at the University of Wisconsin-Madison and Loyola University in Chicago, who published a paper on their findings.

When mute is not really turned off

As part of the study, the researchers conducted a thorough runtime binary analysis of selected apps to determine what type of data each app collects and whether that data poses a privacy risk.

The apps tested in this phase of the survey were Zoom, Slack, MS Teams / Skype, Google Meet, Cisco Webex, BlueJeans, WhereBy, GoToMeeting, Jitsi Meet and Discord.

App clients tested
VCA clients tested – circle is web app

The team tracked raw audio transmitted from apps to the audio driver in the underlying OS and eventually to the network. This way, they could determine what changes actually occurred when a user pressed ‘mute’.

They found that regardless of mute status, all apps occasionally collected audio data, except web clients that used the browser’s software mute feature.

In all other cases, apps sample sound intermittently for various functional or obscure reasons.

Zoom, arguably the most popular video conferencing app worldwide, was found to actively track whether the user is talking, even while in mute mode.

VCA audio data flow on Windows 10
VCA audio data flow on Windows 10 (wiscprivacy)

The worst case scenario, according to the investigation, was Cisco Webex, which continued to receive raw audio data from the user’s microphone and transmitted it to the vendor’s servers in exactly the same way as it did when the audio was muted.

“Our results suggest that, contrary to the privacy statement, Webex monitors, collects, processes and shares audio-derived data with its servers while the user is attenuated,” reads the technical paper supporting the study.

“To inform Cisco of our survey results, we opened a responsible disclosure with Cisco of our findings. As of February 2022, their Webex engineering team and privacy team are actively working to address this issue.”

A major security issue?

Although the aspect of false expectations for the privacy of users is set aside, several security issues arise as a result of this behavior.

Even for the apps that collect limited audio data when turned off, the researchers found that it is possible to use this data to decipher what the user is doing 82% of the time, using a simple machine learning algorithm.

It is about rough activity classification such as keyboard typing, cooking, eating, listening to music, vacuuming, etc.

Audio data clusters
Audio data classification clusters (wiscprivacy)

Although providers secure their servers, encrypt data transmissions, and their employees adhere to strict anti-abuse agreements, a man-in-the-middle attack can result in unexpected exposure to the target.

Keep in mind that VCAs are used by senior business leaders, members of national security councils, and country-leading politicians, so data leakage while mute is active can be quite damaging.

What can you do?

First, read the privacy policy to better understand how your data is managed and the risks involved in using a particular software product.

Second, if your microphone is connected to your computer via a USB or jack cable, you might as well unplug it when it’s turned off.

Third, you can use your operating system’s audio control settings to mute the microphone input channel so that all apps will receive zero volume audio.

These are all cumbersome steps for most users, but for mission-critical cases, securing the ultimate privacy is worth the extra effort.

Update April 15 A Cisco Webex spokesman has sent the following statement to Bleeping Computer about the results of the report:

Cisco is aware of this report and thanks the researchers for notifying us of their research.

Webex uses microphone telemetry data to tell a user that they are turned off, called the “mute notification” feature.

Cisco takes the security of its products very seriously, and this is not a vulnerability in Webex.

Leave a Comment