Cisco’s Webex phoned home audio telemetry even when muted • The Register

Researchers from two US universities have found that muting popular native video conferencing apps fails to mute the device’s microphones – and that these apps have the ability to access audio data when muted , or actually do.

The research is described in an article titled “Are you really muted? : An Analysis of Mute Button Privacy in Video Conferencing Apps“, [PDF] by Yucheng Yang (University of Wisconsin-Madison), Jack West (Loyola University Chicago), George K. Thiruvathukal (Loyola University Chicago), Neil Klingensmith (Loyola University Chicago), and Kassem Fawaz (University of Wisconsin-Madison).

The document must be presented to the Privacy Technologies Symposium in July.

The authors reviewed the top ten video conferencing apps (VCAs) and found that the mute buttons featured by native apps failed to mute the microphone as the operating system’s mic interfaces allow. Web-based mute buttons, which rely on browser-based commands or WebRTC, correctly muted the mic.

The problem, according to the academics, is that the video and audio signals are not processed coherently. In operating systems such as macOS and Windows, disabling the camera in an application relies on an operating system-level control that completely turns off the camera and provides visual confirmation that the camera is inactive in the absence flashing light.

Software-based mute buttons, they say, are application dependent and rarely provide a visible indicator when the associated mic is picking up audio. While OS-level commands, via control panels, can mute the mics – a problem that smart speaker hardware solved with a physical mute button for the mic – the mute buttons based apps in native apps don’t behave like most people expect.

An app sends audio statistics to its telemetry servers while the app is muted

“We find fragmented policies for handling microphone data among VCAs – some continuously monitor microphone input during muting, and others do so periodically,” the authors explain in their paper. “An application transmits audio statistics to its telemetry servers while the application is muted.”

Of the apps studied – Zoom (Enterprise), Slack, Microsoft Teams/Skype, Cisco Webex, Google Meet, BlueJeans, WhereBy, GoToMeeting, Jitsi Meet and Discord – most had only limited or theoretical privacy issues.

Researchers found that all of these apps had the ability to capture audio when the mic is muted, but most didn’t take advantage of this capability. One, however, was found to take measurements from audio signals even when the mic was supposed to be off.

“We found that all of the apps in our study could actively poll (i.e. retrieve raw audio) the microphone when the user is muted,” the paper said. “Interestingly, on Windows and macOS, we found that Cisco Webex polls the microphone regardless of the state of the mute button.”

They found that Webex, every minute or so, sent network packets “containing audio-derived telemetry data to its servers, even when the microphone was muted.”

No sound frequency – but volume

This telemetry data is not recorded sound but a value derived from the audio that corresponds to the volume level of background activity. Nevertheless, the data proved sufficient for the researchers to construct an 82% accurate background activity classifier to analyze transmission and infer likely activity among six possibilities – eg cooking, cleaning, typing, etc. – in the room where the application is active. .

Worse still from a security perspective, while other apps encrypted their outgoing data stream before sending it to the operating system’s socket interface, Webex did not.

Ex-Cisco employee who crippled Webex conferencing gets two years in US prison


“Only in Webex were we able to intercept plaintext immediately before it was passed to the Windows Network Socket API,” the document says, noting that the application’s monitoring behavior is inconsistent with the Webex Privacy Policy.

The app’s privacy policy states Cisco Webex Meetings does not “monitor or interfere with your [sic] meeting traffic or content.”

Kassem Fawaz, assistant professor of electrical and computer engineering at the University of Wisconsin-Madison, said The register in an email, “We notified Cisco of our findings in January and they promised to investigate.”

Cisco said The register that it modified Webex after researchers made contact so that it would no longer transmit microphone telemetry data.

“Cisco is aware of this report and thanks the researchers for informing us of their research,” a Cisco spokesperson said. “Webex uses telemetry data from the microphone to notify a user that they are muted, which is called the ‘mute notification’ feature. Cisco takes the security of its products very seriously, and it is not a vulnerability in Webex. » ®

Comments are closed.