If you use Cisco WebEx to meet with people, you should be aware that it will phone home audio telemetry according to some research performed on the most popular conferencing apps out there and reported by The Register. And muting the app has zero effect on this:
Among the apps studied — Zoom (Enterprise), Slack, Microsoft Teams/Skype, Cisco Webex, Google Meet, BlueJeans, WhereBy, GoToMeeting, Jitsi Meet, and Discord — most presented only limited or theoretical privacy concerns. The researchers found that all of these apps had the ability to capture audio when the mic is muted but most did not take advantage of this capability. One, however, was found to be taking measurements from audio signals even when the mic was supposedly off. “We discovered that all of the apps in our study could actively query (i.e., retrieve raw audio) the microphone when the user is muted,” the paper says. “Interestingly, in both Windows and macOS, we found that Cisco Webex queries the microphone regardless of the status of the mute button.” They found that Webex, every minute or so, sends network packets “containing audio-derived telemetry data to its servers, even when the microphone was muted.”
This telemetry data is not recorded sound but an audio-derived value that corresponds with the volume level of background activities. Nonetheless, the data proved sufficient for the researchers to construct an 82 per cent accurate background activity classifier to analyze the transmission and infer the likely activity among six possibilities — e.g. cooking, cleaning, typing, etc. — in the room where the app is active. Worse still from a security standpoint, while other apps encrypted their outgoing data stream before sending it to the operating system’s socket interface, Webex did not. “Only in Webex were we able to intercept plaintext immediately before it is passed to the Windows network socket API,” the paper says, noting that the app’s monitoring behavior is inconsistent with the Webex privacy policy. The app’s privacy policy states Cisco Webex Meetings does not “monitor or interfere with you your [sic] meeting traffic or content.”
Well, clearly what is in their privacy policy is at best inconsistent with what they actually do. And at worst it’s a lie. But don’t worry, Cisco “fixed” this after it was pointed out to them:
Cisco toldĀ The RegisterĀ that it altered Webex after the researchers got in touch so that it no longer transmits microphone telemetry data.
“Cisco is aware of this report, and thanks the researchers for notifying us about their research,” said a Cisco spokesperson. “Webex uses microphone telemetry data to tell a user they are muted, referred to as the ‘mute notification’ feature. Cisco takes the security of its products very seriously, and this is not a vulnerability in Webex.”
No it’s not a vulnerability. But it’s pretty bad from an optics standpoint and from a trust standpoint. Hopefully they don’t have anything else in their products that someone can trip over and call them out on. Because that’s won’t end well from a PR standpoint.
Cisco WebEx Phones Home Audio Home Even When Muted…. WTF?
Posted in Commentary with tags Cisco on April 16, 2022 by itnerdIf you use Cisco WebEx to meet with people, you should be aware that it will phone home audio telemetry according to some research performed on the most popular conferencing apps out there and reported by The Register. And muting the app has zero effect on this:
Among the apps studied — Zoom (Enterprise), Slack, Microsoft Teams/Skype, Cisco Webex, Google Meet, BlueJeans, WhereBy, GoToMeeting, Jitsi Meet, and Discord — most presented only limited or theoretical privacy concerns. The researchers found that all of these apps had the ability to capture audio when the mic is muted but most did not take advantage of this capability. One, however, was found to be taking measurements from audio signals even when the mic was supposedly off. “We discovered that all of the apps in our study could actively query (i.e., retrieve raw audio) the microphone when the user is muted,” the paper says. “Interestingly, in both Windows and macOS, we found that Cisco Webex queries the microphone regardless of the status of the mute button.” They found that Webex, every minute or so, sends network packets “containing audio-derived telemetry data to its servers, even when the microphone was muted.”
This telemetry data is not recorded sound but an audio-derived value that corresponds with the volume level of background activities. Nonetheless, the data proved sufficient for the researchers to construct an 82 per cent accurate background activity classifier to analyze the transmission and infer the likely activity among six possibilities — e.g. cooking, cleaning, typing, etc. — in the room where the app is active. Worse still from a security standpoint, while other apps encrypted their outgoing data stream before sending it to the operating system’s socket interface, Webex did not. “Only in Webex were we able to intercept plaintext immediately before it is passed to the Windows network socket API,” the paper says, noting that the app’s monitoring behavior is inconsistent with the Webex privacy policy. The app’s privacy policy states Cisco Webex Meetings does not “monitor or interfere with you your [sic] meeting traffic or content.”
Well, clearly what is in their privacy policy is at best inconsistent with what they actually do. And at worst it’s a lie. But don’t worry, Cisco “fixed” this after it was pointed out to them:
Cisco toldĀ The RegisterĀ that it altered Webex after the researchers got in touch so that it no longer transmits microphone telemetry data.
“Cisco is aware of this report, and thanks the researchers for notifying us about their research,” said a Cisco spokesperson. “Webex uses microphone telemetry data to tell a user they are muted, referred to as the ‘mute notification’ feature. Cisco takes the security of its products very seriously, and this is not a vulnerability in Webex.”
No it’s not a vulnerability. But it’s pretty bad from an optics standpoint and from a trust standpoint. Hopefully they don’t have anything else in their products that someone can trip over and call them out on. Because that’s won’t end well from a PR standpoint.
Leave a comment »