Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Privacy Security

Cisco's Webex App Phoned Home Audio Telemetry Even When Muted (theregister.com) 23

Boffins at two US universities have found that muting popular native video-conferencing apps fails to disable device microphones -- and that these apps have the ability to access audio data when muted, or actually do so. The research is described in a paper titled, "Are You Really Muted?: A Privacy Analysis of Mute Buttons in Video Conferencing App." The Register reports: Among the apps studied -- Zoom (Enterprise), Slack, Microsoft Teams/Skype, Cisco Webex, Google Meet, BlueJeans, WhereBy, GoToMeeting, Jitsi Meet, and Discord -- most presented only limited or theoretical privacy concerns. The researchers found that all of these apps had the ability to capture audio when the mic is muted but most did not take advantage of this capability. One, however, was found to be taking measurements from audio signals even when the mic was supposedly off. "We discovered that all of the apps in our study could actively query (i.e., retrieve raw audio) the microphone when the user is muted," the paper says. "Interestingly, in both Windows and macOS, we found that Cisco Webex queries the microphone regardless of the status of the mute button." They found that Webex, every minute or so, sends network packets "containing audio-derived telemetry data to its servers, even when the microphone was muted."

This telemetry data is not recorded sound but an audio-derived value that corresponds with the volume level of background activities. Nonetheless, the data proved sufficient for the researchers to construct an 82 per cent accurate background activity classifier to analyze the transmission and infer the likely activity among six possibilities -- e.g. cooking, cleaning, typing, etc. -- in the room where the app is active. Worse still from a security standpoint, while other apps encrypted their outgoing data stream before sending it to the operating system's socket interface, Webex did not. "Only in Webex were we able to intercept plaintext immediately before it is passed to the Windows network socket API," the paper says, noting that the app's monitoring behavior is inconsistent with the Webex privacy policy. The app's privacy policy states Cisco Webex Meetings does not "monitor or interfere with you your [sic] meeting traffic or content."
After the researchers reached out about their findings, Cisco altered Webex so it no longer transmits microphone telemetry data. "Cisco is aware of this report, and thanks the researchers for notifying us about their research," said a Cisco spokesperson. "Webex uses microphone telemetry data to tell a user they are muted, referred to as the 'mute notification' feature. Cisco takes the security of its products very seriously, and this is not a vulnerability in Webex."
This discussion has been archived. No new comments can be posted.

Cisco's Webex App Phoned Home Audio Telemetry Even When Muted

Comments Filter:
  • by Pierre Pants ( 6554598 ) on Friday April 15, 2022 @08:38PM (#62451092)
    because there are never significant repercussions. The courts and "fines" never pose much trouble, the government doesn't pose any trouble, etc. They'll all keep claiming it was a mistake. It will keep happening and people will keep using shit by all those companies that have been found guilty of various anti-customer shenanigans. There is no rule of law, only rule of money, corruption, ignorance, and indifference.
    • by fedor ( 598123 )
      Exactly! It 's also very disturbing that we need scientists to research and uncover this kind of unethical malware.
    • Apps like Webex don't claim to be suppressing all audio input. The in-app "mute" is simply preventing your audio from being sent to the other "attendees." If you want to mute your input then mute your Mic in the OS, or better yet use a Mic with a physical mute button.
  • by ffejie ( 779512 ) on Friday April 15, 2022 @08:57PM (#62451116)
    How did people think they were doing the alert identifying to the user when their mic was muted? Magic? I suppose you could process this all locally, but there's very little chance of any of these companies doing anything like that when they can easily collect the data and process it centrally where the CPU/network usage is a rounding error. Use a hardware mute. Don't ever trust software if you can control the hardware.
  • by Anonymous Coward

    Didn't Snowden revealed enough to know that Cisco is basically the spying arm of the US govt? What else would you expect?

    • by Anonymous Coward

      You sound like a Trumptard conspiracy theorist! Why would our government spy foreign governments? All governments are already working together for the same NWO.

      • lol! So says the Anonymous Coward, like we have any reason to regard anything you say as anything other than propaganda or spam.
    • No.

      That might have been one of those training PDFs they released in the first 6 months that turned out to be false, and written by people without access (!) to the details of the program.

      Almost everything "reported" in the news in the first 6 months was the stuff that wasn't actually true. Probably because both the leaker and the "journalist" were assets for Mordor.

  • At my last job, I wondered why my boss had a camera cover on his laptop, then I discovered that WebEx just randomly turns the camera with no local settings that seem to change that. At my current job, Citrix seems to access my camera when I connect (I can see the light blink) but I have a cover so it gets nothing.

  • This story belongs in the "Not-Really-All-That-Surprising" dept.

    Either that or in the "I-Should-Be-Shocked-But-I'm-Not" section.

  • I wonder- do the headsets that "turn off" the mic when you flip it to the up position (supposedly the muted position) really turn it off? Probably not.

    They have to have some kind of sensor to detect the position, but is it really breaking the mic connection or is it just telling the software that it's supposed to be muted?

  • by NotEmmanuelGoldstein ( 6423622 ) on Friday April 15, 2022 @11:48PM (#62451350)

    ... ability to access audio data when muted ...

    If one has used recording utilities such as OBS-studio, the status panel makes it clear the built-in microphone is never disabled. "1984" talked of microphones being hidden everywhere and I thought that impossible. Then the smart-phone and 'always-connected' laptop (which technically does shut-down) were invented.

  • I am not surprised by this. People assume a word, such as muted, means no sound is captured when all it means is no sound is transmitted to the other users on the call. Unless yo physical disconnect the mike, or a camera, it is still capable of functioning even if they are turned "off." Sometimes it can be humorous, such as when someone on a call is named Alexa and, well, you get the picture. It is, however, a window on how privacy is gone in the name of convenience.
  • The company known for putting backdoors in their hardware so US agencies can spy on the users. Why am I not supprised they have this in their webex software, which is used by many goverment institutes in other countries.

Almost anything derogatory you could say about today's software design would be accurate. -- K.E. Iverson

Working...