TeamViewer Denies Being Hacked, Blames Users, Introduces New Security Measures (betanews.com)

← Back to Stories (view on slashdot.org)

TeamViewer Denies Being Hacked, Blames Users, Introduces New Security Measures (betanews.com)

Posted by EditorDavid on Saturday June 4, 2016 @05:30AM from the remote-controls dept.

Mark Wilson writes: In the last couple of weeks there have been a huge number of reports from TeamViewer users that their computers have been hijacked. In addition to this, users of the remote access tool have complained of funds being extracted from PayPal and bank accounts. But TeamViewer insists that there has not been a security breach, instead shifting the blame to users.

The company says [users] are in the habit of reusing the same passwords for a number of apps and services. It suggests that recent high profile security breaches -- such as the password dumps from MySpace and LinkedIn -- have allowed cyber criminals to learn TeamViewer log in credentials.
"We are appalled by the behaviour of cyber criminals, and are disgusted by their actions towards TeamViewer users," reads the company's statement. But they will now notify users whenever a new device logs in to a TeamViewer account, and in the future will also require a new password whenever suspicious account activity is detected.

65 comments

Min score:

Reason:

Sort:

Can't fix stupid by Anonymous Coward · 2016-06-04 05:33 · Score: 0

N/T
Duplicate? by CaptainDork · 2016-06-04 05:38 · Score: 1

https://news.slashdot.org/stor...

--
It little behooves the best of us to comment on the rest of us.
Wish it was that simple by Anonymous Coward · 2016-06-04 05:40 · Score: 4, Informative

But people are reporting unique, long passwords on their TV accounts being useless. And at least one case where a person was able to login to a PC even through 2FA authentication.
Either this is just a wide configuration error in the TV client made by unknowing users, or someone is lying.
1. Re:Wish it was that simple by slaker · 2016-06-04 07:32 · Score: 1
  
  Is that the IBM employee who was whining about it on Reddit? Instead of, I don't know, an official IBM channel?
  
  --
  -- I wanna decide who lives and who dies - Crow T. Robot, MST3K
2. Re:Wish it was that simple by Anonymous Coward · 2016-06-04 08:41 · Score: 0
  
  Judging by the reddit posts there is quite a few people who had their system compromised even though they used 2FA authentication.
3. Re:Wish it was that simple by Anonymous Coward · 2016-06-04 09:00 · Score: 1
  
  So is two factor authentication authentication (2FA authentication) the same as three factor authentication? Perhaps if they added the use of a PIN number it would be better better.
4. Re:Wish it was that simple by Anonymous Coward · 2016-06-04 09:25 · Score: 0
  
  Can I weasel my way out of this by saying 2 FActor?
5. Re:Wish it was that simple by Anonymous Coward · 2016-06-04 09:26 · Score: 0
  
  That's not what 2FA Stands for,
  Password + Pin is still 1FA
  In Security there is the great Breakdown
  Something you Know (Psasword / Pin)
  Something you Have (Soft Token / Hard Token / Smart Card)
  Something you are (BIometrics)
  Something you do (How you sign your name, how you type that kind of thing).
  If True 2FA was being used in the case of these team viewer breaches, an outside password compromise should be literally useless without the accompanying Soft Key
6. Re:Wish it was that simple by Anonymous Coward · 2016-06-04 09:48 · Score: 0
  
  From how I've used TV, 2FA is only for web and local TV access.
  If you remote into a computer, you only need the ID and unattended password.
  How they get the username & unattended password is anyone's guess. Also; anyone using grant easy access in TV is a lazy idiot.
7. Re:Wish it was that simple by Anonymous Coward · 2016-06-04 09:53 · Score: 0
  
  I think a lot of people who got compromised are confusing two different login mechanisms here.
  AFAIK, TeamViewer's 2FA only protects logging into your account, like if you want to change your email address or update your billing preferences. It doesn't protect the software.
  Connections to the TeamViewer software running on your computer aren't protected by 2FA at all. In many many cases, the only thing protecting that is a 4 digit numeric code. All an attacker needs is your IP address and knowledge that TeamViewer is running, then they can brute-force the 4 digit code. Nowadays it's trivial to portscan the entire IPv4 space and see who has a port open...
  To make an analogy. Just because you have a super strong password for your Outlook.com account, doesn't mean your computer won't get owned when you turn on Remote Desktop with a 4 digit password and set it to accept connections from the entire world.
8. Re:Wish it was that simple by Anonymous Coward · 2016-06-04 10:02 · Score: 0
  
  Nowadays it's trivial to portscan the entire IPv4 space and see who has a port open...
  Except Teamviewer on the client initiates a connection to Teamviewer's servers, no port forwarding. On a symmetrical nat router, no scanner would detect open ports for Teamviewer.
  Also, Teamviewer denies access for a few minutes after several failed attempts.
9. Re:Wish it was that simple by Darinbob · 2016-06-04 11:10 · Score: 1
  
  I use teamviewer. But there's no password. What does having an account get you that you don't get with the free version?
10. Re:Wish it was that simple by Anonymous Coward · 2016-06-04 12:41 · Score: 0
  
  Is that the IBM employee who was whining about it on Reddit? Instead of, I don't know, an official IBM channel?
  It's 2016. Customer support is abysmal to non-existent for consumers of major corporations. Flaming assholes on the internet is our only real recourse. It's important, because it's the only power they left us. I just wish more people would support limited boycotts and/or it was easier to damage such a powerful brand with legitimate bad press.
11. Re:Wish it was that simple by vux984 · 2016-06-04 20:11 · Score: 1
  
  And at least one case where a person was able to login to a PC even through 2FA authentication.
  I use teamviewer a lot. I don't use 2FA with it. Check this out:
  Does 2FA apply when logging into the teamviewer account? It looks like it does!
  Or does it apply when connecting to an teamviewer in unattended mode? It looks like it doesn't.
  I mean, check this out.
  https://www.turnon2fa.com/tuto...
  Check out "step 7" where they show it asking for the 2FA "Enter your security code" (on the right panel). So he's not signed into his teamviewer account yet.
  But I expect you can remote into the PC; if you have his teamviewer ID and that password that are shown on the left.
  You DO NOT need to be signed into a teamviewer account; at all to connect a teamviewer machine if you know the id, and either the random password that changes with each launch, (displayed in the app) or the "secret" password (which stays the same).
  The teamviewer account just lets you log in to "your account" which stores a list of teamviewer "IDs" for computers you connect to frequently, and optionally stored passwords, friendly names for the ids, etc...
  In other words, TFA doesn't have to be defeated to connect to a teamviewer machine at least in its default configuration.
  So... if there's an exploit where they can beat the random 4 digit code (when TV is running 'session') or the random 6 alpha when unattended is setup, then they bypass TFA.
  Remember, most of the "hacking" reports show the attacker as NOT being connecting as "themselves"; so they may have a way into the machines, even without breaking into the TV accounts.
I could never get up the courage... by Anonymous Coward · 2016-06-04 05:42 · Score: 1

... to install TV. Great reviews. Broad support. Free. But sh~t like this always seemed a risk.
This has been going on for a while... by 00Monkey · 2016-06-04 05:44 · Score: 4, Interesting

Back in February, I had Team Viewer running 24/7 on an Ubuntu Desktop. I had a "strong" password, using letters, numbers and symbols. I was at a customer site installing a new Asterisk phone system and suddenly I get notifications from Paypal that I'm buying large amounts of virtual currency with NCSoft. It took me all of 5 minutes to realize what was happening and change my Paypal password and in that time, several grand was spent. It took me a week to get it all fixed, which isn't that bad.
Team Viewer Support couldn't care less. I asked why they wouldn't even notify on an account that's never been accessed from outside the country and they had no answers. Now, what could I have done better? Setup Multi-Factor Authentication for Team Viewer and Paypal. So, some of the responsibility is mine. However, I find it very strange that someone could have hacked or guessed that account's password. I asked if they had a breach and they reported that there were no problems, of course. Notification and confirmation of suspicious activity should have been implemented by them a long time ago.
1. Re:This has been going on for a while... by ledow · 2016-06-04 05:56 · Score: 3, Insightful
  
  They don't need to have had a breach, as such, for the software to have been compromised in some way. Even a protocol flaw, or a plain-text-password-sniff or all kinds of things. Even a virus on a machine that you've logged on FROM.
2. Re:This has been going on for a while... by Anonymous Coward · 2016-06-04 23:06 · Score: 0
  
  Leaving closed-source software with a way to access my machine constantly running always made me uncomfortable, so I didn't do.
  What I also don't do, and you shouldn't either, is leave you bank/paypal logged in or have your passwords for them insecurely saved on your computer, while Linux malware is uncommon it isn't unheard of, and if it wasn't Teamviewer, attackers might have got access to your credentials some other way.
  For remote access, I have SSH running on a Raspberry Pi with 2-factor signon* on a non-standard port, from there I can remote wake another machine, typically my VM server, then I start a VM that has GoToAssist unattended access setup (as that is what I use for work, but could equally be TeamViewer or something else).
  * A Google Authenticator token plus a strong password
Relevant subreddit with the reports... by Anonymous Coward · 2016-06-04 05:45 · Score: 5, Informative

https://www.reddit.com/r/teamviewer
1. Re:Relevant subreddit with the reports... by ZiakII · 2016-06-04 08:42 · Score: 1
  
  Now Clickable...
  
  https://www.reddit.com/r/teamviewer
The users often ARE at fault by damn_registrars · 2016-06-04 05:47 · Score: 2

Consider how many people use auto-login for all sorts of things in their web browser. If you can log in to their system as their user, and access their web browser, you will almost certainly be able to access some of their accounts. No amount of teamviewer security can offset user laziness.

--
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
Bullshit by Anonymous Coward · 2016-06-04 05:50 · Score: 0

It was haxx0rz. It is always haxx0rz. It always will be haxx0rz.
TeamView by Anonymous Coward · 2016-06-04 05:59 · Score: 0

My mouse is spinning around in circles in the center of my screen.
How can I make it stop?
That's funny by freak0fnature · 2016-06-04 06:08 · Score: 3, Interesting

The fact that they allow users to download old versions of TeamViewer is 1/2 the problem. I entertained a call from someone who was likely Pakistani that asked me to install an old version of TeamViewer from their website. Though I got on Linux and tried to follow their instructions...they didn't know what Linux was. I succeeded in wasting 30 minutes of their time.
1. Re:That's funny by QA · 2016-06-05 00:40 · Score: 1
  
  The problem is licensing. I have a 3 channel corporate license for...TV 8... So, what they do is try and get you to upgrade to a higher version.... ESPECIALLY sneaky is the window that pops up "There is a newer version etc etc" and prompt you to install it.
  I tried this once and received the message "your license does not support this version". The client now has a setting where you can tell it not to notify you of updates unless within the major version of your license. I believe so many people got screwed by updating and then having a non functional license that they HAD to add this.
  IIRC my corporate license was somewhere between $3000.00 and $5000,00 CAD dollars and they wanted over half that again to enable my license for version 11.
Chrome plugin asinine defaults to allow remote by Zappy · 2016-06-04 06:12 · Score: 2

Chrome TV plugin asinine defaults to allow remote without password. Add to that plugin installs are synced you could have TV installed on a pc without realising it. Defaulting to *allow* remote access.
Who is crazy enough to run a RAT? by Anonymous Coward · 2016-06-04 06:14 · Score: 0, Flamebait

If you run a publically accessible RAT (remote admin tool) then you're just asking for trouble, especially if you leave it running while it's not being actively used.
I hope people have learned that they shouldn't use any sort of remote desktop tool that relies on or accesses a third party server and to properly configure any new one they use to only accept incoming connections from whitelisted IPs or inside their network only.
1. Re: Who is crazy enough to run a RAT? by Anonymous Coward · 2016-06-04 22:39 · Score: 0
  
  Still doesn't explain why it needs to always be running.
I kinda believe them... by wbr1 · 2016-06-04 06:24 · Score: 1

Here is why.
I work for a small IT shop/MSP. We use logic now/GFI tools to manage machines. The bukt in remote tool is called TakeControl, but is simply a slightly modified TeamViewer. The client and board backend negotiate a regularly changing passphrase for remote access, it is out of user control. The rest of the protocol and software is the same.
We have not yet had a single one of our managed PCs or servers report any activity like this. If there was a breach at Teamviewer, Takecontrol enabled computers managed by MSPs are often small/mid sized businesses and make a much juicer target. The passwords to connect to these machines would exist in teamviewers infrastructure the same as anyone elses.

--
Silence is a state of mime.
Two factor, etc. by DrYak · 2016-06-04 06:26 · Score: 2

At least some "stupid-mitigiation" could have helped.
Things like two factor auth (user still uses stupid password, but also needs token given by smart-phone app, or recieved by 2nd channel)
Or things like public-key authentication (stupid password is used to unlock locally stored file with cryptographic key. Key is only used to sign stuff over wire)
In both case, even in the case of a massive leak (e.g.: like recent LinkedIn's) the stolen passwords can't be used alone to impersonate user identity.
(either an extra token would be needed in addition. Or a file containing the cryptographic key. Both of which stay in the possession of the end-user and never travel the wire).
But no, companies still continue to recommend "secure" passwords.
(Which can still be mitigiated using a decent password manager).

--
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
1. Re:Two factor, etc. by moronoxyd · 2016-06-04 12:18 · Score: 2
  
  Things like two factor auth (user still uses stupid password, but also needs token given by smart-phone app, or recieved by 2nd channel)
  [snip]
  But no, companies still continue to recommend "secure" passwords.
  (Which can still be mitigiated using a decent password manager).
  Fun fact: TeamViewer supports TFA for several years now.
  But if people don't use it and instead reuse the same passwords for TV as for other services...
Not buying it. by Olmy's+Jart · 2016-06-04 06:31 · Score: 5, Insightful

I'm not buying Team Viewers explaination one bit. I know the individual in this article. He's a fellow security expert with whom I've worked. He's no security slouch, quite the opposite in fact. He caught the attackers in the act (yeah, he got lucky there) and took action as it unfolded before his eyes. Team Viewer has some serious 'splainen to do...
https://securityintelligence.c...
1. Re: Not buying it. by Anonymous Coward · 2016-06-04 06:45 · Score: 2, Insightful
  
  He admits to reusing his one password between team viewer and numerous websites.
  That is a pretty huge slouch for a security expert, and even a fairly nice sized face palm for a regular user.
2. Re:Not buying it. by Anonymous Coward · 2016-06-04 06:46 · Score: 1
  Do you mean the security expert that is reusing the same password across different services?
  He implies that in his article:
  
  I hadn't really used TeamViewer in a long time and had actually forgotten that it was installed on multiple systems. Then I remembered that I recently changed a few passwords in response to the LinkedIn compromise.
  
  For the time being, take some recommendations from the story of how I almost got hacked:
  
  Do not reuse passwords between applications.
  Ensure your passwords are unique to each system.
3. Re:Not buying it. by Anonymous Coward · 2016-06-04 08:18 · Score: 0
  
  He is a pretty shitty "expert"
  Using the same password like that is a sign of a Poseur Wannabe. Tell your friend that faking that he is an "expert" only makes most of the internet laugh at him.
4. Re:Not buying it. by EETech1 · 2016-06-04 18:39 · Score: 1
  
  I just showed up as being in the LinkedIn and MySpace hacks and I've gotten some messages in my email that someone failed logging in to LogMeIn. I have a gmail that is just my last name, so I get everyone who is too stupid to know their own email using mine, and I remember someone signing up for LogMeIn using my email (oh the fun I could have had) so it is quite a coincidence I showed up on have I been pawned, and got failed login attempts on LogMeIn from two different parts of the world virtually simultaneously.
5. Re:Not buying it. by Anonymous Coward · 2016-06-05 00:04 · Score: 1
  
  Not much of a security expert if he lets closed-source software have constant full access to his computer.
6. Re: Not buying it. by MSG · 2016-06-05 06:08 · Score: 1
  
  Yeah he's no slouch, but he acknowledges that the attack probably used a password that leaked and wasnt changed. So, there's nothing to see here...
Alternatives? by tindur · 2016-06-04 06:45 · Score: 2

Are there any free (libre) alternatives to Team viewer?
1. Re:Alternatives? by Anonymous Coward · 2016-06-04 07:33 · Score: 1
  
  Yeah dude, VNC's been around since forever.
2. Re:Alternatives? by 93+Escort+Wagon · 2016-06-04 08:15 · Score: 3, Informative
  
  Yeah dude, VNC's been around since forever.
  And VNC's security is next to trivial to compromise.
  If you're going to use VNC, run it through ssh or openvpn - and only allow access that way. Keep the VNC ports themselves closed.
  
  --
  #DeleteChrome
3. Re:Alternatives? by Anonymous Coward · 2016-06-04 08:51 · Score: 0
  
  Yeah dude, VNC's been around since forever.
  And VNC's security is next to trivial to compromise.
  If you're going to use VNC, run it through ssh or openvpn - and only allow access that way. Keep the VNC ports themselves closed.
  VNC is terrible over connections with low bandwidth / high latency. Alternative suggestions?
4. Re:Alternatives? by 93+Escort+Wagon · 2016-06-04 09:01 · Score: 1
  
  Alternative suggestions?
  I haven't used this in a few years, but - for Linux boxes, I found xrdp to perform much, much better than vnc.
  I am not particularly knowledgable regarding xrdp's security track record, though.
  
  --
  #DeleteChrome
5. Re:Alternatives? by Anonymous Coward · 2016-06-04 09:55 · Score: 0
  
  Unlike teamviewer security which is nearly impossible to compromise.
6. Re:Alternatives? by Antique+Geekmeister · 2016-06-04 10:54 · Score: 1
  
  For _X_ based access, namely for Linux based servers and remote shared or graphical sessions from other platforms, I've found the NoMachine software from www.nomachine.com to work very well. There are older free software versions of it, such as "freenx", and very good demo versions of it. Commercial use and support requires rather expensive commercial licenses, but the quality of the software has been very good. It's well supported, the free clients work very well with the commercial servers, and they've earned my confidence in their commercial support.
  It's also effective to use the free versions as a demo, and buy the commercial license when satisfied with the demo. I do _not_ encourage commercial use of hte demo, that's a license violation and discourages good developers trying to sell their work.
7. Re:Alternatives? by Darinbob · 2016-06-04 11:14 · Score: 1
  
  TeamViewer works, is easy to use, and from all accounts other than Reddit, secure. People who complain about losing money on paypal are probably not security experts as security experts wouldn't put their own money in paypal.
8. Re: Alternatives? by Anonymous Coward · 2016-06-04 12:43 · Score: 0
  
  Anydesk
9. Re:Alternatives? by Anonymous Coward · 2016-06-04 23:19 · Score: 0
  
  I was unimpressed with the performance of NoMachine when I tried the demo, that could possibly just be due to running it on a Raspberry Pi2. I was also unimpressed with the security, with the demo version, while it lets you login as multiple users, the user you login with isn't tied to the user its session it controls, it just creates a session for the user set in the configuration file regardless of who you log in as.
10. Re:Alternatives? by jittles · 2016-06-05 01:17 · Score: 1
  
  Are there any free (libre) alternatives to Team viewer?
  Yes. I am really surprised that anyone uses these services. You could try OpenVPN and Remote Desktop Protocol or VNC. You can also use SSH port forwarding to use RDP or VNC through an SSH connection. It's all trivial.
11. Re:Alternatives? by jittles · 2016-06-05 01:19 · Score: 1
  
  TeamViewer works, is easy to use, and from all accounts other than Reddit, secure. People who complain about losing money on paypal are probably not security experts as security experts wouldn't put their own money in paypal.
  Why do security experts use TeamViewer when there are free and better ways to provide the same service yourself?
will their new "security measures".. by Anonymous Coward · 2016-06-04 10:28 · Score: 0

do anything to prevent or even slow down the use of their software and service by fraudulent "online support" companies, who seem to favor team viewer over other products........
have to agree by luther349 · 2016-06-04 10:47 · Score: 1

dont leave team viewer running unless you plain on using it your just leaving a door open. just like any other vnc. dont let anyone in with any 3rd party app unless you trust them. tech support of any kind will never cold call you. its very simple things hear and you will have no problems.
1. Re:have to agree by Darinbob · 2016-06-04 11:23 · Score: 1
  
  I have trouble imagining any situation where you might want to keep TeamViewer open and active, unless the guy pretending to be microsoft support asked you to. And a situation of leaving TeamViewer open, active, and *unattended* seems bizarre. I could possibly imagine remote control IT support, but that sounds like a badly run company to me; if you can't see your own IT support then what assurance do you have that IT even knows or cares about you, but even a remote control IT support would turn off TeamViewer as often as possible, would know not to use the same password everywhere, etc. (sounds like maybe too many people outsource stuff)
2. Re:have to agree by hairyfeet · 2016-06-04 17:37 · Score: 1
  
  The problem is the latest updates to TV default to have it running as a Windows service 24/7 which is why I had my customers uninstall it, if they need remote support they can install it just long enough for me to fix the issue and then uninstall.
  So yeah...this is 100% TV's fault, they are the ones that chose the boneheaded move of making their defaults "run 24/7" and obviously with THIS many reported break ins? Yeah don't give me that "reused passwords" bullshit as those passwords have been in the wild for many months yet only NOW does it happen, and happen en masse? Yeah someone found a TV exploit and pwned their asses HARD and now they are playing the time honored game of CYA. I expect them to be sued out of business any day now.
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
And VNC does a small fractiof what Teamviewer does by Dr.+Evil · 2016-06-05 00:49 · Score: 1

It will give you a remote session. Provided:
- You open a hole in your firewall
- You have a dynamic DNS service
- You don't mind sending username/password, and your entire session in the clear
- You don't mind the performance
These issues are amplified if you're helping somebody over the phone.
As far as I know, there are no free (libre) alternatives to Teamviewer.
And 2FACTOR FAILS by Anonymous Coward · 2016-06-05 02:02 · Score: 0

Teamviewer really is falling down on the Job.
Their 2Factor makes you waste Tons TONS of Time and doesn't work by any vector, Barcode or Manually entering.
Its a real waste and extreme security risk.
1. Re:And 2FACTOR FAILS by sabbede · 2016-06-06 00:05 · Score: 1
  
  How so? I haven't had any issues with it myself. I log in from an unknown computer and get prompted for the code sitting in Google Authenticator. Am I missing something?
Here's how it works by golgotha007 · 2016-06-05 03:01 · Score: 1

There are hundreds of millions of username/password combinations, stolen from lots of different websites that have been breached over the years. A person(s) or group(s) with this collection decides to target teamviewer users, especially after learning that teamviewer doesn't require their users to enable 2FA. Of course, 99.99% of all the accounts in the huge list will fail (user doesn't exist, wrong password, etc.). But, it doesn't cost any money to continually bang on teamviewer servers looking for username/password combos that work - this part is automated and being done from thousands of computers all at the same time (essentially a botnet). They take the list of successful user/pass combos and give it to a group of people determined to transfer paypal, buy gift cards, anything that will let them infiltrate money by taking control of that user account.
Who is at fault? Teamviewer doesn't deserve to walk from this completely free of blame. They should have required 2FA for accounts that allow for remote session activity. In addition, they should have noticed huge spikes of bad user/pass combos being tried on their servers.
Unfortunately, the majority of the blame lay with poor security decisions made by users. Any critical account (like remote access or anything related to money) should be protected by a unique strong password and 2FA (when available).
This is just the beginning folks. We're going to see more and more of these types of attacks.
I have been hacked too on Team viewer by Anonymous Coward · 2016-06-06 08:44 · Score: 0

2 sundays ago, I sat on my computer to see the session termination window of teamviewer on my laptop's screen. I am the only one who knows the password. So short of a security breach of some sort at the teamviewer's side, this should not have happened. They tried to syphon my amazon account but my 2factor auth prevented them from logging in from a different device. Fortunately, nothing of monetary value to me has stored passwords anywhere so they were s#!+ out of luck. Bur since then, teamviewer gets shutdown on all my devices. Small inconvenience for a big price tag in my opinion.