Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

Webex Monitors Microphone Even When Muted, Researchers Say

Cisco’s enterprise-facing Webex video conferencing and messaging utility monitors the microphone at all times, even when the user’s microphone is muted in the software, according to warning from a group of academic researchers.

Cisco’s enterprise-facing Webex video conferencing and messaging utility monitors the microphone at all times, even when the user’s microphone is muted in the software, according to warning from a group of academic researchers.

According to researchers from the University of Wisconsin-Madison and Loyola University Chicago, popular video conferencing applications (VCAs), including those used within enterprise environments, can actively query the microphone even when the user is muted.

The researchers discovered not only that some applications are continuously monitoring the microphone input when the participant is muted, but also that the telemetry data they transmit to their servers can be used to accurately identify different types of background activities that the users perform.

The issue is that the privacy control mechanism for muting the microphone is application-dependent and has no hardware indicator associated to it, to inform the user of microphone use (the camera, on the other hand, is controlled at the operating system level and also has a led indicator to show when it is in use).

To demonstrate the false sense of privacy that meeting participants have when muting the microphone so as to not be overheard by others, the researchers implemented a proof-of-concept background activity classifier that allowed them to accurately identify six types of common background activities based on the telemetry packets that VCAs sent while a user was muted.

[ READ: Project Zero: Zoom Platform Missed ASLR Exploit Mitigation ]

The researchers looked into the manner in which BlueJeans, Cisco Webex, Discord, Google Meet, GoToMeeting, Jitsi Meet, Microsoft Teams/Skype, Slack, WhereBy, and Zoom (Enterprise), interact with the microphone and discovered that all of them could actively query the microphone even if the user is muted.

According to the research project, native app implementations for major operating systems behave differently compared to their web-based counterparts for unsupported platforms, which request access to the microphone through a web browser.

Most Windows and macOS native VCAs, the researchers explain, “can check if a user is talking even while muted but do not continuously sample audio in the same way as they would while unmuted.” When it comes to web-based apps, however, the browser’s software mute feature is used, which instructs “the microphone driver to completely cut off microphone data.”

What the researchers could not identify, however, was the manner in which Microsoft’s Teams and Skype applications use microphone data when muted, because “they directly make calls to the operating system,” instead of using the standard Windows userland API.

[ READ: Cisco Webex Vulnerability Allows Ghost Access to Meetings ]

“Interestingly, in both Windows and macOS, we found that Cisco Webex queries the microphone regardless of the status of the mute button,” the researchers say. “We discovered that while the app was muted, Webex’s audio buffer contains raw audio from the microphone.”

The researchers also discovered that Webex – which is the only project “that continuously samples the microphone while the user is muted” – sent audio-derived telemetry data to its servers on a minute-by-minute basis. They managed to intercept “plaintext [data] immediately before it is passed to the Windows network socket API” and used it to fingerprint background user activities.

“Our user study shows that users are unaware of Webex listening to their microphone while muted. We examined all widely used VCAs and desktop operating systems and pinpointed a potential privacy leakage within Webex. We discovered that while muted, Webex continuously reads audio data from the microphone and transmits statistics of that data once per minute to its telemetry servers,” the academics conclude.

In a statement provided to SecurityWeek, Cisco said the data collected was limited to audio settings.

“In January 2022, researchers discovered audio settings data such as volume and gain – not actual voices or sounds – were detected and collected when users were muted in Webex meetings. This data was intended to support user experience (for example mute notifications, background noise cancellation, volume optimization) and troubleshooting,” the company said.

“In January 2022, Webex stopped the collection of audio settings data relating to troubleshooting while users are on mute; Webex customers can contact Cisco to disable the remaining detection of audio settings, which are required for features we provide even when a user is on mute, such as mute notification and echo cancellation. We appreciate the input of our customers, researchers, and other stakeholders to help us improve our products,” Cisco added.

Related: FBI Warns of BEC Scams Abusing Virtual Meeting Platforms

Related: Webex Vulnerability Exploited to Join Meetings Without Password

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Protection

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.