A group of researchers studying the behaviour of videoconferencing applications have demonstrated that audio can be captured, even though the user has muted their microphone.
In a paper published last week, researchers from the University of Wisconsin-Madison and Chicago’s Loyola University ask the question, “Are you really muted?”
The answer: not always, and most users don’t understand this.
The problem was most observed in Cisco’s Webex when running on Microsoft Windows.
Videoconferencing applications (VCAs) running within browsers are safest, since microphone muting is enforced by the browser, the researchers explained.
“Web apps—implemented in JavaScript— request access to the microphone through a web browser, which generally has more restrictive policies for data collection and more tools that allow the user to control the app’s access to hardware," they wrote.
Apps running natively on the operating system, on the other hand, get their microphone access from the operating system, and the researchers note that "the OS imposes fewer restrictions on native apps than the browser runtime environment imposes on web apps.”
“None of the major operating systems we are aware of support [enforcing] a software mute.”
In Windows, for example, a user can disable the microphone through their control panel settings, but that’s not available as a simple API call to third-party applications.
“This lack of an OS-mediated software mute means each native app must implement its own internal mute functionality," the researchers wrote.
That means it is open to developers to accept a mute, not transmit audio from the user to the meeting, but still capture audio from the microphone, and Cisco’s Webex provided the most striking examples of this.
“More interestingly, we observe that Cisco Webex — unlike the rest of the Windows native VCAs — continuously accesses the microphone while muted,” the paper said.
“Using x64dbg, we were able to trace Webex’s copied audio buffer until that buffer reaches the stack. We discovered that while the app was muted, Webex’s audio buffer contains raw audio from the microphone.”
As one of the researchers, Jack West of Loyola University, told iTnews, there can be good reasons for this.
Raw audio capture can help “maintain smooth transitions from a muted to unmuted state”, for example.
In the case of Webex: “The raw audio was most likely examined for their noise removal feature to maintain consistency during the transition as well.”
Cisco was also receiving telemetry derived from user audio from Webex.
“Since we brought this issue to Cisco's attention, they have stopped transmitting audio telemetry data”, West told iTnews.
Users unaware
The other issue highlighted by the paper is that users generally don’t understand that their VCAs might listen to them when the microphone is muted.
From a survey of 223 individuals, the researchers found most thought apps should only have access to the microphone when the app is running and when the user is unmuted – and most think that is what actually occurs.
“In conclusion, the results from the user study suggest that the user’s understanding of the mute button does not match their expectations of its behaviour,” the paper states.
West told iTnews the research team believes “Microsoft should provide a way to tell the user that their audio buffer is being accessed."
"Therefore, the user is at least aware of what the application maybe able to hear," West said.
“Currently, Microsoft offers a feature here where a user can quickly disable their microphone” he added.
The full research team was West, George Thiruvathukal, and Neil Klingensmith of Loyola University, and Yucheng Yang and Kassem Fawaz of the University of Wisconsin-Madison.
Their research will be presented at the 22nd Privacy Enhancing Technologies Symposium in July, in Sydney.
iTnews asked Microsoft for comment on the research. Microsoft's response, via a spokesperson, was: “To protect user privacy, when the apps are muted, the apps do not send any audio data from the device to our servers.”
