Cisco's Webex app phoned home audio telemetry even when muted

Boffins at two US universities have found that muting popular native video-conferencing apps fails to disable device microphones – and that these apps have the ability to access audio data when muted, or actually do so.

The research is described in a paper titled, "Are You Really Muted?: A Privacy Analysis of Mute Buttons in Video Conferencing Apps," [PDF] by Yucheng Yang (University of Wisconsin-Madison), Jack West (Loyola University Chicago), George K. Thiruvathukal (Loyola University Chicago), Neil Klingensmith (Loyola University Chicago), and Kassem Fawaz (University of Wisconsin-Madison).

The paper is scheduled to be presented at the Privacy Enhancing Technologies Symposium in July.

The authors looked at ten top video conferencing apps (VCAs) and found that the mute buttons presented by native apps fail to deactivate the microphone in the way that operating system mic interfaces allow. Web-app-based mute buttons, which rely on browser-based or WebRTC controls, turned the mic off properly.

The problem, the academics say, is that video and audio signals don't get handled in a consistent manner. In operating systems like macOS and Windows, disabling the camera in an app relies on an operating-system-level control that turns the camera off completely and provides visual confirmation that the camera is inactive by the absence of a blinking light.

The software-based mute buttons, they say, are app-dependent and seldom provide a visible indicator when the associated mic is capturing audio. While operating-system-level controls, via control panels, can disable mics – an issue smart speaker hardware has addressed with a physical off button for the mic – app-based mute buttons in native apps don't behave the way most people expect.

One app transmits statistics of the audio to its telemetry servers while the app is muted

"We find fragmented policies for dealing with microphone data among VCAs — some continuously monitor the microphone input during mute, and others do so periodically," the authors explain in their paper. "One app transmits statistics of the audio to its telemetry servers while the app is muted."

Among the apps studied – Zoom (Enterprise), Slack, Microsoft Teams/Skype, Cisco Webex, Google Meet, BlueJeans, WhereBy, GoToMeeting, Jitsi Meet, and Discord – most presented only limited or theoretical privacy concerns.

The researchers found that all of these apps had the ability to capture audio when the mic is muted but most did not take advantage of this capability. One, however, was found to be taking measurements from audio signals even when the mic was supposedly off.

"We discovered that all of the apps in our study could actively query (i.e., retrieve raw audio) the microphone when the user is muted," the paper says. "Interestingly, in both Windows and macOS, we found that Cisco Webex queries the microphone regardless of the status of the mute button."

They found that Webex, every minute or so, sends network packets "containing audio-derived telemetry data to its servers, even when the microphone was muted."

Not sound frequency – but volume

This telemetry data is not recorded sound but an audio-derived value that corresponds with the volume level of background activities. Nonetheless, the data proved sufficient for the researchers to construct an 82 per cent accurate background activity classifier to analyze the transmission and infer the likely activity among six possibilities – e.g. cooking, cleaning, typing, etc. – in the room where the app is active.

Worse still from a security standpoint, while other apps encrypted their outgoing data stream before sending it to the operating system's socket interface, Webex did not.

"Only in Webex were we able to intercept plaintext immediately before it is passed to the Windows network socket API," the paper says, noting that the app's monitoring behavior is inconsistent with the Webex privacy policy.

The app's privacy policy states Cisco Webex Meetings does not "monitor or interfere with you your [sic] meeting traffic or content."

Kassem Fawaz, assistant professor of electrical and computer engineering at the University of Wisconsin–Madison, told The Register in an email, "We informed Cisco about our findings back in January and they promised to investigate."

Cisco told The Register that it altered Webex after the researchers got in touch so that it no longer transmits microphone telemetry data.

"Cisco is aware of this report, and thanks the researchers for notifying us about their research," said a Cisco spokesperson. "Webex uses microphone telemetry data to tell a user they are muted, referred to as the 'mute notification' feature. Cisco takes the security of its products very seriously, and this is not a vulnerability in Webex." ®