Surely when you mute yourself on a video conference call, nothing bad can happen and you can just say anything you want without anybody hearing, correct?
Well, possibly not, and that might be a scary thought to those who do video conferencing regularly.
Kassem Fawaz was taken aback when his brother told him that he observed something strange while on a video conference call using his iPhone.
Fawaz said his brother told him that during the call, he noticed that the microphone indicator was still on while he was muted.
“It was obvious that there was some privacy issue associated with microphone access while the user (was) muted,” Fawaz said.
With that in mind, Fawaz, an engineering professor at the University of Wisconsin in Madison, went on a research mission to find out more.
What he and graduate student Yucheng Yang found could be alarming for anyone who spends a lot of time on video calls and is concerned about privacy.
First, Fawaz and Yang tested videoconferencing applications on major operating systems such as iOS, Android, Windows and Mac, to see if the microphones were still accessed by the apps while muted.
“Our most interesting finding was that the vast majority of video conferencing apps retain access to the microphone, even when the user is muted,” Fawaz said. “There is no technical safeguard preventing them for processing the user’s audio (while muted) if they decide to do so.”
In addition, Fawaz said their findings showed that a popular app continuously accessed the microphone even if the user is muted and used that information to send periodic telemetry packets.
“After disclosing our findings, the company stopped this practice,” Fawaz said.
Following that initial investigation, Fawaz and Yang then teamed up with colleagues at Loyola University in Chicago to go more in-depth.
The group looked into the behavior of the mute button on many popular apps, trying to find out what type of data is collected and whether it could reveal personal information.
Runtime binary analysis tools were used to trace raw audio in popular videoconferencing applications when the audio traveled from the app to the computer audio driver, and then to the network when the app was muted.
The findings showed that all of the apps that were tested occasionally gathered raw audio data while mute was activated, with one popular app obtaining information and sending data to its server at the same rate regardless of whether the microphone is muted.
“The most surprising part was the lack of any control preventing the apps from accessing the microphone when the user is muted,” Fawaz said. “For the case of the camera, there is an operating system (OS) control that is connected to a hardware switch of the microphone in most commodity laptops. Turning off the camera from the app engages the OS switch, which engages the hardware switch. The interesting finding is that such a control does not exist for the microphone, and the user is left at the mercy of the apps to behave well.”
The group plans to present their results at the Privacy Enhancing Technologies Symposium in July in Australia.
“Going forward, there is should more hardware and OS-based controls for the microphone,” Fawaz said. “Engaging the mute button from an app should at the very least engage a OS-based control that prevents the app from even accessing the microphone. Connecting this OS-control with some sort of a hardware control that provides a physical assurance to the users would even be better.”