Abstract: In the post-pandemic era, video conferencing applications (VCAs) have converted previously private spaces – bedrooms, living rooms and kitchens – into semi-public extensions of the office. And for the most part, users have accepted these apps into their personal space, without thinking too much about the permission models that govern the use of their personal data in meetings. While access to a device’s video camera is carefully controlled, little has been done to ensure the same level of privacy for microphone access. In this work, we ask the question: what happens to microphone data when a user clicks the mute button in a VCA? We first conduct a user study to analyze users’ understanding of the mute button permission model. Then, using runtime binary analysis tools, we follow the raw audio in many popular VCAs as it passes through the audio driver application to the network. We find fragmented policies for handling microphone data among VCAs – some continuously monitor microphone input while muted, and others do so periodically. An app transmits audio statistics to its telemetry servers while the app is muted. Using the network traffic we intercept en route to the telemetry server, we implement a proof-of-concept background activity classifier and demonstrate the feasibility of inferring ongoing background activity during a meeting – cooking, cleaning, typing, etc. We achieved 81.9% macro accuracy on identifying six common background activities using intercepted outgoing telemetry packets when a user is muted.
The document will be presented to PETS This year.
*** This is a syndicated blog from the Security Bloggers Network of Schneier on safety written by Bruce Schneier. Read the original post at: https://www.schneier.com/blog/archives/2022/04/video-conferencing-apps-sometimes-ignore-the-mute-button.html