This post is also available in:
עברית (Hebrew)
A recent study highlights a surprising vulnerability in video conferencing platforms such as Zoom and Microsoft Teams: even with cameras off, microphones muted, or virtual backgrounds in use, attackers may still be able to determine a user’s physical location.
Researchers at Southern Methodist University (SMU) examined the security of widely used video conferencing apps and found that two-way audio channels can be exploited through a technique called “remote acoustic sensing.” In this method, attackers inject short, carefully designed sounds into a call and analyse the echoes that return. These echoes carry information about the user’s environment, allowing the attacker to infer location details with high accuracy. In tests, the team achieved up to 88% accuracy in identifying locations across multiple settings, including homes, offices, vehicles, and hotels.
The attack works even if the user is careful with microphone use. Even a vigilant user who unmutes only to speak remains vulnerable. Echoes naturally amplify a speaker’s voice because video conferencing platforms apply acoustic suppression when users are silent, which unintentionally strengthens the malicious signal. In some cases, probing sounds can be as brief as 100 milliseconds, which is short enough to be unnoticed.
SMU researchers identified two main attack types: in-channel echo attacks, which bypass standard echo cancellation, and off-channel echo attacks, which exploit everyday sounds such as notifications. Both methods are subtle enough to go undetected, meaning participants cannot rely solely on muting, background noise suppression, or virtual backgrounds to protect themselves.
According to TechXplore, to address these vulnerabilities, the research team is developing server-side defense algorithms. These solutions aim to detect and remove suspicious audio probes before they reach participants, preventing attackers from reconstructing location information.
The findings underscore that video conferencing platforms may not be as secure as commonly assumed. Even routine meetings could expose sensitive location data, highlighting the need for further technical safeguards and awareness about acoustic-based privacy risks.
The research was published here.
