Have you recently been on a video confefence call, hit the “mute” button and then offered up some nasty comments about a client or a colleague — or even the boss?
Or maybe while in a conference room with colleagues — muted — and pointed out that some proposed action would violate the terms of a secret acquisition in its final stages?
If you were comfortable that the mute button was actively protecting your secret, you shouldn’t have been.
Thanks to some impressive experimentation and research from a group of academics at the University of Wisconsin-Madison and Loyola University Chicago, utterances made while the app is in mute are still captured and saved into RAM.
On one level, this is something we all already knew. When a user is muted and says something, most videoconferencing apps will display a note alerting the user that they’re talking while muted. How could it say that if it weren’t listening while the mute button is on?
Just as Apple’s Siri or Amazon’s Alexa are always listening for a command word, so, too, are those “muted” applications.
The real question is whether those captured utterances are at meaningful risk for being accessed by an attacker or an insider. First, anything saved in volatile memory is lost — theoretically — the instant the machine restarts or shuts down. Therefore, we are looking at the exposure after the utterance is made and before that machine restarts. Depending on the user’s behavior, that timeframe might be a few hours, a couple of days — possibly multiple weeks.
Generally, stealing data from volatile memory is difficult, but not impossible. As the report authors said in a group interview, if a bad guy gets into volatile memory, the user and the enterprise have a lot bigger concerns than some saved utterances during a mute. Still, it could happen.
The mute issue is solely based on the app and how it handles such data.
One of the lead authors of the report is Kassem Fawaz, an assistant professor in the Electrical and Computer Engineering Department at the University of Wisconsin-Madison who is also affiliated with Wisconsin’s Computer Sciences Department.
“The main implications have to do with the inherent trust users are placing in these videoconferencing apps,” Fawaz said. “We did not find evidence of audio leaving the user’s devices. The only exception was telemetry data leaving from Cisco Webex, which has been fixed since our disclosure to Ciscom. However, even when the user presses the mute button, the app still has access to the audio stream and the user is trusting that the app is well-behaved. The other implication is that the mute functionality — similar to turning off the camera — should not be left to the app, but should be either OS-controlled or hardware-controlled.”
Fawaz’s point about the camera is that the team found that a camera “off” button truly halted any video from being captured in any way. Not so much with audio. Sometimes, the browser can make a difference.
“On Chrome, mute means mute,” Fawaz said. “We can’t say about Safari or Firefox.”
The university’s report was mostly about trust in the app makers. If the vendors are acting honorably and respecting privacy, cybersecurity, and security compliance issues, then the risk is minimal. If they are not acting that way, users and enterprises could be in trouble.
The report didn’t draw conclusions on how the app makers were behaving, but merely stressed that each one can go in its own direction.
That said, the rules of secrecy and even the rules of being a nice person should apply here. With the imminent-acquisition scenario, if you’re not allowed to discuss certain details, don’t say them in front of a microphone with outsiders regardless of what the mute toggle displays. As for being nice, how about not saying nasty comments about your colleagues or clients at all?
The cardinal rule of email and security/compliance is, “Before you type an email/message, envision yourself testifying to it in open court. If that makes you uncomfortable, don’t type it.” It’s not a far leap to extend that rule to speaking something in front of a microphone.
For example, I use an Apple Watch. Several times during a typical day, it will say loudly “I didn’t understand that” or “Here’s what I found on that topic.” Although it is highly annoying and frustrating, it’s an effective reminder that I need to take that watch off before saying anything that I don’t want the world to know.
You need to keep in mind the same thing when using a mobile device or a desktop device — especially while using a videoconferencing app.