Video call

Think the video call mute button is protecting you? Think again

Have you recently been on a video conference call, pressed the mute button, and then made nasty comments about a client or coworker — or even the boss?

Or maybe while you were in a conference room with colleagues – muted – and pointed out that a proposed action would violate the terms of a secret acquisition in its final stage?

If you were convinced that the mute button was actively protecting your secret, you shouldn’t have been.

Thanks to impressive experiments and looking for a group of academics at the University of Wisconsin-Madison and Loyola University Chicago, utterances made while the application is muted are still captured and saved to RAM.

On some level, this is something we all already knew. When a user is muted and says something, most video conferencing apps display a note warning the user that they are speaking in silent mode. How could he say that if he wasn’t listening when the mute button was on?

Just as Apple’s Siri or Amazon’s Alexa are always listening for a command word, so are these “muted” apps.

The real question is whether these captured utterances are at significant risk of being viewed by an attacker or insider. First of all, everything saved in volatile memory is lost – theoretically – the instant the machine restarts or shuts down. Therefore, we examine the exposition after the utterance has been spoken and before this machine restarts. Depending on the behavior of the user, this delay can be a few hours, a few days, or even several weeks.

Generally, stealing data from volatile memory is difficult, but not impossible. As the report’s authors said in a group interview, if a bad guy breaks into volatile memory, both the user and the company have far greater concerns than some recorded utterances when muted. . Yet, it could happen.

The mute issue is solely based on the app and how it handles this data.

One of the main authors of the report is Kassem Fawaz, assistant professor at the Electrical and computer engineering Department of the University of Wisconsin-Madison which is also affiliated with the Wisconsin Department of Computer Science.

“The main implications have to do with the inherent trust that users place in these video conferencing applications,” Fawaz said. “We found no evidence of audio output from user devices. The only exception was telemetry data originating from Cisco Webex, which has been corrected since our disclosure to Ciscom. However, even when the user presses the mute button, the app still has access to the audio stream and the user is confident that the app is behaving well. The other implication is that mute functionality – similar to turning off the camera – should not be left to the application, but should be controlled by the operating system or the hardware.

Fawaz’s point about the camera is that the team discovered that a camera “off” button really prevented any video from being captured in any way. Not so much with audio. Sometimes the browser can make a difference.

“On Chrome, mute means mute,” Fawaz said. “We can’t say the same about Safari or Firefox.”

The university’s report focused primarily on trust in app makers. If vendors act honorably and adhere to privacy, cybersecurity, and security compliance issues, the risk is minimal. If they are do not doing so could put users and businesses in trouble.

The report did not draw conclusions about the behavior of app makers, but simply pointed out that each can go in its own direction.

That said, the rules of secrecy and even the rules of being a nice person should apply here. With the imminent acquisition scenario, if you are not allowed to discuss certain details, do not say them in front of a microphone with strangers, no matter what the mute toggle shows. As for being nice, how about not saying nasty comments about your colleagues or clients at all?

The cardinal rule of email and security/compliance is: “Before typing an email/message, imagine yourself testifying about it in open court. If it makes you feel uncomfortable, don’t Don’t type it in. It’s not hard to extend this rule to speaking something into a microphone.

For example, I use an Apple Watch. Several times in a typical day, he will say aloud “I didn’t understand that” or “Here’s what I found on this subject”. Although it’s very annoying and frustrating, it’s an effective reminder that I need to take this watch off before I say anything I don’t want the world to know.

You should keep the same in mind when using a mobile device or a desktop device, especially when using a video conferencing application.

Copyright © 2022 IDG Communications, Inc.