Video conferencing applications overhear users even after pressing the Mute button

After pressing the Mute button
Written by Emma Davis

Researchers have proven that popular video conferencing applications, including those used in corporate environments, continue to actively request the microphone, even after pressing the Mute button.

A study of the problem was published by a group of experts from the University of Wisconsin-Madison and Loyola University of Chicago.

By the way, we also have articles about interesting research on cybersecurity, for example, we wrote that Researcher shows how to extract text from pixelated images.

In fact, the mute buttons provided in the applications themselves may not deactivate the microphone completely, as the operating system interfaces allow.

Experts are going to present a detailed report on this problem at the Privacy Enhancing Technologies Symposium event, which will be held in July 2022.

You might also be interested that Researcher finds that Twitter images can hide up to 3MB of data.

Returning back to the “mute” button, the researchers warn that some applications are constantly monitoring not only microphone input (even when the sound is muted), but also collect telemetry, which is then transmitted to their servers and can be used to pinpoint various types of background user activity.

According to analysts, the main problem is that video and audio signals are processed inconsistently. That is, on macOS and Windows, disabling the camera in an application is tied to an OS-level control that completely disables the camera and provides the user with clear visual confirmation that the camera is not active.

After pressing the Mute button

However, soft mute buttons are application specific and rarely have a visible indicator that the microphone is recording audio. In fact, mute buttons in apps don’t generally behave the way most people expect them to.

In video conferencing applications, we found fragmented policies for working with microphone data: some constantly control microphone input during mute, others do it periodically. One app actually broadcasts audio statistics to its telemetry servers when the app is muted.the experts write.

In general, the researchers studied popular video conferencing products such as BlueJeans, Cisco Webex, Discord, Google Meet, GoToMeeting, Jitsi Meet, Microsoft Teams/Skype, Slack, WhereBy, and Zoom (Enterprise). To prove that the sense of privacy experienced by conference participants when the microphone is muted is false, the experts used a PoC background activity classifier that allowed them to accurately recognize six types of background activity based on telemetry packets sent by applications when the microphone was muted.

Most of the products listed above have some sort of privacy issue, but mostly very limited or only theoretical. That is, all these applications had the ability to capture sound when the microphone is turned off, but most of them never used this ability.

The researchers explain that most native apps for Windows and macOS “can check if the user is talking even if the sound is muted, but they don’t continuously sample the sound in the same way as if the sound was on.”

However, when it comes to web applications, it uses the browser’s software mute feature to force the microphone driver to completely disable microphone data.

At the same time, scientists were unable to determine how the Microsoft Teams and Skype applications use microphone data when mute, because “they directly access the operating system” instead of using the standard Windows API.

It was also found that one of the applications still abused its capabilities and studied the audio signal, even when the microphone was turned off. It turned out that Cisco Webex sends network packets containing telemetry audio to their servers every minute, even if the microphone is muted.

We found that all investigated applications can actively request the microphone (i.e. extract raw audio) when the user is muted. Interestingly, Cisco Webex requests the microphone regardless of the state of the Mute button on both Windows and macOS. Although the app was muted, the Webex Audio Buffer contained unprocessed audio from the microphone.

The researchers emphasize that Webex is the only product that “continuously records data from the microphone when the user’s sound is muted” and transmits telemetry data to its servers every minute. So, the experts were able to intercept data in plain text format and use it for very accurate fingerprinting of background user actions.

Such telemetry is not the actual recorded sound, but a certain value obtained from the sound corresponding to the volume level of various background activities. This data was enough to recognize, with an accuracy of 82%, background activity in the room where the application was active: cooking, cleaning, typing, and so on.

The researchers say they notified Cisco of the issue back in January 2022 so the company could conduct its own investigation. As Cisco representatives have now told the media, the issue has since been resolved:

In January 2022, researchers discovered that data about audio settings such as volume and gain (but not actual voices or sounds) was being recorded and collected when users muted Webex during meetings. This data was intended to support user experience (e.g. disable notifications, suppress background noise, optimize volume) and troubleshoot.

In January 2022, Webex stopped collecting troubleshooting audio settings data if users turned their audio off.the company said.

Webex customers are now encouraged to contact Cisco if they want to permanently eliminate this “snooping” that is required “for features that are active even when the user is muted, such as mute notifications and echo cancellation.”

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

Leave a Reply


This site uses Akismet to reduce spam. Learn how your comment data is processed.