A new study shows that pressing the mute button on popular video conferencing apps (VCA) may not actually work like you think it should, with apps still listening in on your microphone.
More specifically, in the studied software, pressing mute does not prevent audio from being transmitted to the apps’ servers, either continually or periodically.
Due to this not being documented in related privacy policies, users have a poor understanding of how the mute system works, falsely assuming that audio input is cut when they activate it.
This misunderstanding is reflected in the first phase of the study, which revolves around surveying 223 VCA users on their expectations when pressing mute.
Most (77.5%) respondents found it unacceptable for the apps to continue to access the microphone and possibly gather data when the mute mode is active.
The study was conducted by a team of researchers at the University of Wisconsin-Madison and the Loyola University in Chicago, who published a paper on their results.
When mute is not really muted
As part of the study, the researchers performed a thorough runtime binary analysis of selected apps to determine what type of data each app collects and whether that data constitutes a privacy risk.
The apps tested in this phase of the study were Zoom, Slack, MS Teams/Skype, Google Meet, Cisco Webex, BlueJeans, WhereBy, GoToMeeting, Jitsi Meet, and Discord.
The team traced raw audio transmitted from the apps to the audio driver of the underlying OS, and eventually to the network. This way, they could determine what changes actually occurred when a user presses ‘mute.’
They found that no matter the mute status, all apps occasionally collected audio data, except for web clients that used the browser’s software mute feature.
In all other cases, the apps sample audio intermittently for various functional or unclear reasons.
Zoom, likely the most popular video conferencing app worldwide, was found to actively track if the user is talking even while they were in mute mode.
The worst case, according to the study, was Cisco Webex, which continued to receive raw audio data from the user’s microphone and transmitted it to the vendor’s servers in precisely the same way it did when unmuted.
“To inform Cisco of our investigation results, we opened a responsible disclosure with Cisco about our findings. As of February 2022, their Webex engineering team and Privacy team are actively working on solving this issue.”
A larger security problem?
Even if the aspect of false user privacy expectations is left aside, several security concerns arise from this behavior.
Even for the apps that collect limited audio data when mutated, the researchers found that it’s possible to use that data to decipher what the user is doing 82% of the time, using a simple machine learning algorithm.
That concerns rough activity classification such as keyboard typing, cooking, eating, listening to music, vacuum cleaning, etc.
Even if the vendors secure their servers, encrypt data transmissions, and their employees abide by strict anti-abuse agreements, a man-in-the-middle attack might result in unexpected exposure for the target.
Remember, VCAs are used by high-ranking company executives, members of national security boards, and country-leading politicians, so data leaks while mute is active can be quite damaging.
What can you do?
Secondly, if your microphone is connected to your computer via a USB or jack cable, you may as well unplug it when muted.
Thirdly, you can use your OS’s audio control settings to mute your microphone’s input channel so that any apps will receive zero volume audio.
Those are all cumbersome steps for most users, but for mission-critical cases, ensuring ultimate privacy is well worth the additional effort.
Update 15 April – A spokesperson for Cisco Webex has sent Bleeping Computer the following statement on the findings of the report:
Cisco is aware of this report, and thanks the researchers for notifying us about their research.
Webex uses microphone telemetry data to tell a user they are muted, referred to as the “mute notification” feature.
Cisco takes the security of its products very seriously, and this is not a vulnerability in Webex.