The supposed muting of frequently used video conferencing software does not mean that the microphones of the devices are actually deactivated. Rather, the programs continue to have the option of accessing audio data – and in some cases make use of it. This was discovered by US scientists from Loyola University in Chicago and the University of Wisconsin-Madison.
Recording option despite mute
The researchers have 21-page results of their analysis now published in an essay for an anthology of a conference on “Privacy through Technology”. They examined, among other things, the solutions Zoom in the enterprise version, Slack, Teams and Skype from Microsoft, Cisco Webex, Google Meet, BlueJeans, WhereBy, GoToMeeting, Jitsi Meet and Discord.
Most of these applications raised only limited or theoretical privacy concerns among the experts. In principle, they found out that all of these systems, which are often difficult to circumvent, especially during the corona pandemic, have the option to record audio, even if the microphone is set to “mute”. However, they only found out that one app also uses it to measure audio signals.
Webex sends captured audio telemetry
“We discovered that all of the applications in our study were able to actively query the microphone (i.e. retrieve raw audio signals) when the user was muted,” the study states. Interestingly, it turned out that Cisco Webex queried the microphone “regardless of the status of the mute button” on both Windows and macOS.
According to the team, Webex sends network packets containing audio telemetry data to Cisco servers about every minute in any case. These readings are not recorded sound, but a derived value that represents the loudness level of background activity. Nevertheless, the data was sufficient for the researchers to identify such activities in the room with the device used with a hit rate of 82 percent. The tool created analyzed the transmission and selected the most likely on-site activity from six possible activities such as cooking, cleaning or typing on the keyboard.
Browser application unaffected
If you do not use the native app for video conferences, but use the versions for Internet browsers, you are not affected by the problem. These use the WebRTC standard’s “mute” feature for real-time communication, which gracefully turns off the microphone.
According to the scientists, the stumbling block is that video and audio signals are not handled uniformly via the native programs. With macOS and Windows, the deactivation of the camera in an app is based on a control at the operating system level, which is implemented well and is also visually signaled to the user. The software-based mute buttons, on the other hand, depend on the respective applications and only rarely indicate when the associated microphone is recording sound.
The team considered the finding that Webex was the only one of the conference systems examined not to continuously encrypt the outgoing data stream to be even more serious from a security perspective. Only with the Cisco solution were they able to intercept the plaintext just before it was forwarded to the Windows network sockets interface (API). In general, the app’s monitoring precautions are not compatible with Webex’s data protection regulations. It states that the program “neither monitors nor interferes with the data traffic or the content of meetings”.
Webex stops unencrypted data stream
According to the online magazine The Register, after the researchers had informed Cisco about their findings, the group now ensured that that Webex will no longer transmit microphone telemetry data. A spokesman defended the call home at the same time. Webex used the readings “to let a user know they’re muted.” A relevant notification function was thus supported. It was not a vulnerability in the system.
In Germany, the federal and state data protection officers recommended as early as 2020 in a guide to “carefully check” video conferencing systems from US providers before use. Companies, government agencies and other organizations would not be able to easily use solutions such as Teams, Skype, Zoom, Google Meet, GoToMeeting and Cisco WebEx. According to data protection officials, anyone who relies on the alternative standard contractual clauses for data export after the Privacy Shield was broken must “analyze the legal situation in the third country with regard to official access and legal protection options for data subjects before the start of the transfer”. Webex & Co. have long been on the red list of the Berlin data protection authority.
(tw)