Cisco’s enterprise-facing Webex video conferencing and messaging utility monitors the microphone at all times, even when the user’s microphone is muted in the software, according to warning from a group of academic researchers.
According to researchers from the University of Wisconsin-Madison and Loyola University Chicago, popular video conferencing applications (VCAs), including those used within enterprise environments, can actively query the microphone even when the user is muted.
The researchers discovered not only that some applications are continuously monitoring the microphone input when the participant is muted, but also that the telemetry data they transmit to their servers can be used to accurately identify different types of background activities that the users perform.
The issue is that the privacy control mechanism for muting the microphone is application-dependent and has no hardware indicator associated to it, to inform the user of microphone use (the camera, on the other hand, is controlled at the operating system level and also has a led indicator to show when it is in use).
To demonstrate the false sense of privacy that meeting participants have when muting the microphone so as to not be overheard by others, the researchers implemented a proof-of-concept background activity classifier that allowed them to accurately identify six types of common background activities based on the telemetry packets that VCAs sent while a user was muted.
The researchers looked into the manner in which BlueJeans, Cisco Webex, Discord, Google Meet, GoToMeeting, Jitsi Meet, Microsoft Teams/Skype, Slack, WhereBy, and Zoom (Enterprise), interact with the microphone and discovered that all of them could actively query the microphone even if the user is muted.
According to the research project, native app implementations for major operating systems behave differently compared to their web-based counterparts for unsupported platforms, which request access to the microphone through a web browser.
Most Windows and macOS native VCAs, the researchers explain, “can check if a user is talking even while muted but do not continuously sample audio in the same way as they would while unmuted.” When it comes to web-based apps, however, the browser’s software mute feature is used, which instructs “the microphone driver to completely cut off microphone data.”
What the researchers could not identify, however, was the manner in which Microsoft’s Teams and Skype applications use microphone data when muted, because “they directly make calls to the operating system,” instead of using the standard Windows userland API.
“Interestingly, in both Windows and macOS, we found that Cisco Webex queries the microphone regardless of the status of the mute button,” the researchers say. “We discovered that while the app was muted, Webex’s audio buffer contains raw audio from the microphone.”
The researchers also discovered that Webex – which is the only project “that continuously samples the microphone while the user is muted” – sent audio-derived telemetry data to its servers on a minute-by-minute basis. They managed to intercept “plaintext [data] immediately before it is passed to the Windows network socket API” and used it to fingerprint background user activities.
“Our user study shows that users are unaware of Webex listening to their microphone while muted. We examined all widely used VCAs and desktop operating systems and pinpointed a potential privacy leakage within Webex. We discovered that while muted, Webex continuously reads audio data from the microphone and transmits statistics of that data once per minute to its telemetry servers,” the academics conclude.
In a statement provided to SecurityWeek, Cisco said the data collected was limited to audio settings.
“In January 2022, researchers discovered audio settings data such as volume and gain – not actual voices or sounds – were detected and collected when users were muted in Webex meetings. This data was intended to support user experience (for example mute notifications, background noise cancellation, volume optimization) and troubleshooting,” the company said.
“In January 2022, Webex stopped the collection of audio settings data relating to troubleshooting while users are on mute; Webex customers can contact Cisco to disable the remaining detection of audio settings, which are required for features we provide even when a user is on mute, such as mute notification and echo cancellation. We appreciate the input of our customers, researchers, and other stakeholders to help us improve our products,” Cisco added.