+7
Pending Review

Ability to Mute Microphones On Connect by Default

Sean Keown 2 years ago • updated 2 years ago • 4

A couple days ago we came across an issue where one technician was able to listen to another technicians private conversation he was having with an HR rep. 


What makes it worse is that this becomes a huge security concern. At the moment I'm looking to disable the microphone feature in control altogether, the only downside is that users will no longer be able to check if the setting is on or off once i do this. 


Especially since it will require all users to reinstall their control client first before everyone is locked out which means some users will still be able to turn the feature on for a while while others won't be able to turn it off.. 🤔


To set the mood, We have the following set on our platform.

Image 1076


Scenario A - 

1) A technician connects to a server say (2-3 months ago) and sets All Mics to on. 

Image 1077



2.) Then at some point another technician uses that same session. Unbeknownst to that technician ( A ) anyone on the line (including the customer) can listen to their private conversation they maybe having, this is without the technician doing anything. In our scenario a second technician ( B ) had jumped in and realized they could hear a private conversation going. 

Scenario B -


1.) A technician jumps into a session

2.) Then a second technician jumps into a session. 

3.) Both are working on the same server, either tech could set the ( All Mics ) on and listen in on a conversation not intended for them. 



Image 1075


Note:
For anyone else using this product, my recommendation is to either turn this feature off or to check that your microphone is muted (in control) each time you jump into a session. 


Note 2: I understand this is also a training for our end users but i have over 500 users using control and it becomes very difficult to ensure that everyone fully understands what can happen just by remoting into a PC. 

ConnectWise - Give us the ability to mute microphones by default on connect and also set the microphone color to RED to help identify the microphone is HOT. 

We just disabled microphone/recording/audio altogether - that feature alone is a security nightmare waiting to happen.

+2

We just tried changing the bitmask settings and every thing looked fine but users that used the clickoncerun app will have the bitmask settings cached meaning they can still access the microphone and users that have not reinstalled the screenconnect client can still access the microphone... 😕  while other users won't be able see or mute their microphone. 

+2

I think the part that bothers me the most is that the bitmask settings are optional. Meaning they are controlled on the client end not the server end.. These are not really permissions and seem optional at best. 

What's worse is that a tech savvy user could just reenable the any bitmask settings they want if they found the app.config file..

bingo everyone gets access to the audio and any other features you turned off.. NICE.. 

+2

I thought i would post an update on this. Last week I had recommended turning off the audio feature but I'm now recommending to leave it enabled but to just disable the select mode. Last week I was too focused on just turning it off and ensuring compliancy.


By doing the following, you will ensure that existing users will be able to mute their microphones while users that use the clickonce run won't have the old settings cached along with the users that not have reinstalled since they will still have the ability to change the microphone settings. This also helps allow the users to mute incase someone bypasses the app.config since it's optional. 


1.) Make sure your default Sound Mode is set to Silent.

2.) Disable the Sound Capture Mode.

3.) Force all users to reinstall the ScreenConnect Client and also clear out their clickonce run app cache. (good luck)


4.) Restart all the screenconnect services at your customers sites to force reset the All Mics to Silent

In the end it should look something like this. Select Mode is grayed out but the Microphone Mute button is still clickable. 



Here's a better diagram of what happened.


I guess our biggest concern was not realizing that users did not have to explicitly share their MICs and also not realizing that the toggle switch stays active until someone restarts the screenconnect service at the customers site. In our case, a prior support session had left the MICs active.  

Hope this helps others learn from what we encountered. I'm also hoping that we'll be able to turn this feature back on in the future once there is a setting to mute the microphones on connect (by default).