Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Webex Monitors Microphone Even When Muted, Researchers Say

Cisco’s enterprise-facing Webex video conferencing and messaging utility monitors the microphone at all times, even when the user’s microphone is muted in the software, according to warning from a group of academic researchers.

Cisco’s enterprise-facing Webex video conferencing and messaging utility monitors the microphone at all times, even when the user’s microphone is muted in the software, according to warning from a group of academic researchers.

According to researchers from the University of Wisconsin-Madison and Loyola University Chicago, popular video conferencing applications (VCAs), including those used within enterprise environments, can actively query the microphone even when the user is muted.

The researchers discovered not only that some applications are continuously monitoring the microphone input when the participant is muted, but also that the telemetry data they transmit to their servers can be used to accurately identify different types of background activities that the users perform.

The issue is that the privacy control mechanism for muting the microphone is application-dependent and has no hardware indicator associated to it, to inform the user of microphone use (the camera, on the other hand, is controlled at the operating system level and also has a led indicator to show when it is in use).

To demonstrate the false sense of privacy that meeting participants have when muting the microphone so as to not be overheard by others, the researchers implemented a proof-of-concept background activity classifier that allowed them to accurately identify six types of common background activities based on the telemetry packets that VCAs sent while a user was muted.

[ READ: Project Zero: Zoom Platform Missed ASLR Exploit Mitigation ]

The researchers looked into the manner in which BlueJeans, Cisco Webex, Discord, Google Meet, GoToMeeting, Jitsi Meet, Microsoft Teams/Skype, Slack, WhereBy, and Zoom (Enterprise), interact with the microphone and discovered that all of them could actively query the microphone even if the user is muted.

According to the research project, native app implementations for major operating systems behave differently compared to their web-based counterparts for unsupported platforms, which request access to the microphone through a web browser.

Most Windows and macOS native VCAs, the researchers explain, “can check if a user is talking even while muted but do not continuously sample audio in the same way as they would while unmuted.” When it comes to web-based apps, however, the browser’s software mute feature is used, which instructs “the microphone driver to completely cut off microphone data.”

What the researchers could not identify, however, was the manner in which Microsoft’s Teams and Skype applications use microphone data when muted, because “they directly make calls to the operating system,” instead of using the standard Windows userland API.

[ READ: Cisco Webex Vulnerability Allows Ghost Access to Meetings ]

“Interestingly, in both Windows and macOS, we found that Cisco Webex queries the microphone regardless of the status of the mute button,” the researchers say. “We discovered that while the app was muted, Webex’s audio buffer contains raw audio from the microphone.”

The researchers also discovered that Webex – which is the only project “that continuously samples the microphone while the user is muted” – sent audio-derived telemetry data to its servers on a minute-by-minute basis. They managed to intercept “plaintext [data] immediately before it is passed to the Windows network socket API” and used it to fingerprint background user activities.

“Our user study shows that users are unaware of Webex listening to their microphone while muted. We examined all widely used VCAs and desktop operating systems and pinpointed a potential privacy leakage within Webex. We discovered that while muted, Webex continuously reads audio data from the microphone and transmits statistics of that data once per minute to its telemetry servers,” the academics conclude.

In a statement provided to SecurityWeek, Cisco said the data collected was limited to audio settings.

“In January 2022, researchers discovered audio settings data such as volume and gain – not actual voices or sounds – were detected and collected when users were muted in Webex meetings. This data was intended to support user experience (for example mute notifications, background noise cancellation, volume optimization) and troubleshooting,” the company said.

“In January 2022, Webex stopped the collection of audio settings data relating to troubleshooting while users are on mute; Webex customers can contact Cisco to disable the remaining detection of audio settings, which are required for features we provide even when a user is on mute, such as mute notification and echo cancellation. We appreciate the input of our customers, researchers, and other stakeholders to help us improve our products,” Cisco added.

Related: FBI Warns of BEC Scams Abusing Virtual Meeting Platforms

Related: Webex Vulnerability Exploited to Join Meetings Without Password

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Nation-State

The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.