A new study shows that pressing the mute button on popular video conferencing apps (VCA) may not actually work like you think it should, with apps still listening in on your microphone.
More specifically, in the studied software, pressing mute does not prevent audio from being transmitted to the apps' servers, either continually or periodically.
Due to this activity not being documented in related privacy policies, users have a poor understanding of how the mute system works, falsely assuming that audio input is cut when they activate it.
This misunderstanding is reflected in the first phase of the study, which revolves around surveying 223 VCA users on their expectations when pressing mute.
Most (77.5%) respondents found it unacceptable for the apps to continue to access the microphone and possibly gather data when the mute mode is active.
The study was conducted by a team of researchers at the University of Wisconsin-Madison and the Loyola University in Chicago, who published a paper on their results.
When mute is not really muted
As part of the study, the researchers performed a thorough runtime binary analysis of selected apps to determine what type of data each app collects and whether that data constitutes a privacy risk.
The apps tested in this phase of the study were Zoom, Slack, MS Teams/Skype, Google Meet, Cisco Webex, BlueJeans, WhereBy, GoToMeeting, Jitsi Meet, and Discord.
The team traced raw audio transmitted from the apps to the audio driver of the underlying OS, and eventually to the network. This way, they could determine what changes actually occurred when a user presses 'mute.'
They found that no matter the mute status, all apps occasionally collected audio data, except for web clients that used the browser's software mute feature.
In all other cases, the apps sample audio intermittently for various functional or unclear reasons.
Zoom, likely the most popular video conferencing app worldwide, was found to actively track if the user is talking even while they were in mute mode.
The worst case, according to the study, was Cisco Webex, which continued to receive raw audio data from the user's microphone and transmitted it to the vendor's servers in precisely the same way it did when unmuted.
"Our findings suggest that, contrary to the statement in the privacy policy, Webex monitors, collects, processes, and shares with its servers audio-derived data, while the user is muted," reads the technical paper that supports the study.
"To inform Cisco of our investigation results, we opened a responsible disclosure with Cisco about our findings. As of February 2022, their Webex engineering team and Privacy team are actively working on solving this issue."
A larger security problem?
Even if the aspect of false user privacy expectations is left aside, several security concerns arise from this behavior.
Even for the apps that collect limited audio data when muted, the researchers found that it's possible to use that data to decipher what the user is doing 82% of the time, using a simple machine learning algorithm.
That concerns rough activity classification such as keyboard typing, cooking, eating, listening to music, vacuum cleaning, etc.
Even if the vendors secure their servers, encrypt data transmissions, and their employees abide by strict anti-abuse agreements, a man-in-the-middle attack might result in unexpected exposure for the target.
Remember, VCAs are used by high-ranking company executives, members of national security boards, and country-leading politicians, so data leaks while mute is active can be quite damaging.
What can you do?
First, read the privacy policy to understand better how your data is managed and what risks are involved in using a particular software product.
Secondly, if your microphone is connected to your computer via a USB or jack cable, you may as well unplug it when muted.
Thirdly, you can use your OS's audio control settings to mute your microphone's input channel so that any apps will receive zero volume audio.
Those are all cumbersome steps for most users, but for mission-critical cases, ensuring ultimate privacy is well worth the additional effort.
Update 15 April - A spokesperson for Cisco Webex has sent Bleeping Computer the following statement on the findings of the report:
Cisco is aware of this report, and thanks the researchers for notifying us about their research.
Webex uses microphone telemetry data to tell a user they are muted, referred to as the “mute notification” feature.
Cisco takes the security of its products very seriously, and this is not a vulnerability in Webex.
In January 2022, Cisco changed the feature to no longer transmit microphone telemetry data.
Comments
fromFirefoxToVivaldi - 2 years ago
>Zoom, likely the most popular video conferencing app worldwide, was found to actively track if the user is talking even while they were in mute mode.
Is this a joke? The app itself warns users that they are muted if they start talking while muted, so it couldn't be more obvious it's listening. I hope they didn't use any taxpayer money for this research.
NoneRain - 2 years ago
The system is capable of detecting sound, withouth sending it to external hosts.
So the app itself IS able of showing you're muted while talking withouth the need of "telemetry" services.
Knowing these companies, we expect they try to collect all stuff possible, but since their terms of service didn't express that clearly, it could cause doubts, or even the assumption that the feature works client-side (as the first paragraph of the article says).
dondreak - 2 years ago
I worry about this all the time. The headset mute is more reliable but even that can fail.
NoneRain - 2 years ago
Don't worry too much about it. It would be too much trouble to try a man-in-the-middle attack just to monitor your calls. It's not easily done, and it would need to be targered on your device/connection.
The concern could be more alarming if you're a CEO of a big company or something like that.
Anyway, PowerToys has an option to disable MIC Windows-side, if I'm not mistaken, and hardware mute, like you said, should be enough too.
Veccon - 2 years ago
How exactly is this news? This has been common knowledge for the longest time. Software mutes do not mute your mic, they just block sound input from your account.
ALWAYS USE THE HARDWARE MUTE IN YOUR MIC. If it doesn't have one, use the mute in the volume control for your PC. Never trust a piece of software to mute you mic. It doesn't, and you will still be recorded if that is a possibility.
Machtyn - 2 years ago
" if your microphone is connected to your computer via a USB or jack cable, you may as well unplug it"
This is actually not that good of advice. Particularly if your computer or laptop has a second microphone, such as an internal mic or mic attached to a headset or external Webcam. The OS will simply switch the input to the next available device.. The best way is a hardware mute or OS level mute.