When ‘mute’ really isn’t mute: how reliable are muting buttons?

Does pressing the ‘mute’ button in a video conference (VCA) really cut off the audio input as many think? For many, a new study with popular applications may surprise: the mute button does not prevent the audio from being captured and transmitted, in a continuous and periodic way, to the servers of these programs.

Activity that is not documented in the privacy policies of these applications further contributes to the poor understanding of how these systems work, assuming that the audio input hears nothing when ‘mutated’.

The study of 223 VCA users on their respective expectations of mute mode was conducted by researchers at the University of Wisconsin-Madison and Loyola University in Chicago, who published an article showing the results.

For 77.5% of respondents, it is unacceptable for applications to continue to access the microphone and possibly collect data when mute is active.

When the mute mode is not so mute

To determine what kind of data each application collects, the researchers performed a full binary analysis of the selected software. In this phase of the study, Zoom, Slack, MS Teams/Skype, Google Meet, Cisco Webex, BlueJeans, WhereBy, GoToMeeting, Jitsi Meet, and Discord were considered.

Tested VCA Clients – the circle represents the web version. Image: wiscprivacy

The team traced the raw audio streamed from the applications to the underlying operating system’s audio driver and ultimately to the network. In this way, it would be possible to determine what changes actually took place when a user presses ‘mute’.

The researchers found that no matter what the mute status, all applications occasionally collected audio data, except for web clients that used the browser software’s mute feature. In all other cases, apps collected audio intermittently for unclear or functional reasons.

Zoom, probably one of the most popular video conferencing apps in the world, was caught actively tracking users’ speech while the mute button was active.

When 'mute' really isn't mute: how reliable are muting buttons?

VCA audio data stream on Windows 10. Image: wiscprivacy

However, the worst case, according to the study, was Cisco WebEx, which continued to send the raw audio data from the user’s microphone to the vendor’s servers exactly as if it was active, completely ignoring the mute button press.

“Our findings suggest that, contrary to the privacy policy statement, Webex monitors, collects, processes and shares audio data with its servers while the user is muted.” technical document that support the study.

“To inform Cisco of the results of our investigation, we have opened a responsible disclosure with Cisco of our findings.” As of February 2022, the Webex engineering team and its privacy team will actively work to resolve this issue.”

Open microphone: a security issue

In addition to the aspect of users’ false expectations of privacy being left aside, security issues begin to arise from this behavior.

Even though some collect limited audio when muted, the researchers found that it is possible to use this data to decipher what the user is doing 82% of the time, using the simple machine learning algorithm.

When 'mute' really isn't mute: how reliable are muting buttons?

Audio data classification clusters. Image: wiscprivacy

Even if vendors secure servers, encrypt data transmissions, and employees abide by the strictest anti-abuse agreements, unexpected exposure of this data can occur with a man-in-the-middle attack.

This type of attack could compromise not only high-ranking executives, but communications from members of national security councils and other leaders of a country, as the attacker secretly relays and possibly alters communications between parties believed to be talking directly.

Before using any app…

  1. Read the privacy policy to understand how data will be managed and what risks are involved in using this software;
  2. If you use headphones with a microphone and the microphone is directly connected to the computer, either by USB or connector, it is possible to force the mute by disconnecting it from the CPU. For cases of built-in microphone, the tip is not valid;
  3. You can use the operating system’s own audio control settings to actually mute the microphone input channel so that used VCA applications do not continue to receive unauthorized audio.

While a bit of a pain for some, ensuring ultimate privacy is well worth the extra effort.

After reporting the issue with the WebEx app, Cisco said it was aware of the report, sending it to BleepingComputer a statement about the conclusions of the study. “WebEx uses microphone telemetry data to tell a user that they are muted, referred to as the ‘notification muted’ feature.”

According to the company, this is a WebEx vulnerability. In January 2022, Cisco changed the feature to no longer transmit telemetry data from microphones.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *