Slashdot Mirror

← Back to Stories (view on slashdot.org)

TeamViewer Denies Being Hacked, Blames Users, Introduces New Security Measures (betanews.com)

Posted by EditorDavid on from the remote-controls dept.

Mark Wilson writes: In the last couple of weeks there have been a huge number of reports from TeamViewer users that their computers have been hijacked. In addition to this, users of the remote access tool have complained of funds being extracted from PayPal and bank accounts. But TeamViewer insists that there has not been a security breach, instead shifting the blame to users.

The company says [users] are in the habit of reusing the same passwords for a number of apps and services. It suggests that recent high profile security breaches -- such as the password dumps from MySpace and LinkedIn -- have allowed cyber criminals to learn TeamViewer log in credentials.
"We are appalled by the behaviour of cyber criminals, and are disgusted by their actions towards TeamViewer users," reads the company's statement. But they will now notify users whenever a new device logs in to a TeamViewer account, and in the future will also require a new password whenever suspicious account activity is detected.

38 of 65 comments (clear)

  1. Duplicate? by CaptainDork · · Score: 1

    https://news.slashdot.org/stor...

    --
    It little behooves the best of us to comment on the rest of us.
  2. Wish it was that simple by Anonymous Coward · · Score: 4, Informative

    But people are reporting unique, long passwords on their TV accounts being useless. And at least one case where a person was able to login to a PC even through 2FA authentication.

    Either this is just a wide configuration error in the TV client made by unknowing users, or someone is lying.

    1. Re:Wish it was that simple by slaker · · Score: 1

      Is that the IBM employee who was whining about it on Reddit? Instead of, I don't know, an official IBM channel?

      --
      -- I wanna decide who lives and who dies - Crow T. Robot, MST3K
    2. Re:Wish it was that simple by Anonymous Coward · · Score: 1

      So is two factor authentication authentication (2FA authentication) the same as three factor authentication? Perhaps if they added the use of a PIN number it would be better better.

    3. Re:Wish it was that simple by Darinbob · · Score: 1

      I use teamviewer. But there's no password. What does having an account get you that you don't get with the free version?

    4. Re:Wish it was that simple by vux984 · · Score: 1

      And at least one case where a person was able to login to a PC even through 2FA authentication.

      I use teamviewer a lot. I don't use 2FA with it. Check this out:

      Does 2FA apply when logging into the teamviewer account? It looks like it does!

      Or does it apply when connecting to an teamviewer in unattended mode? It looks like it doesn't.

      I mean, check this out.

      https://www.turnon2fa.com/tuto...

      Check out "step 7" where they show it asking for the 2FA "Enter your security code" (on the right panel). So he's not signed into his teamviewer account yet.

      But I expect you can remote into the PC; if you have his teamviewer ID and that password that are shown on the left.

      You DO NOT need to be signed into a teamviewer account; at all to connect a teamviewer machine if you know the id, and either the random password that changes with each launch, (displayed in the app) or the "secret" password (which stays the same).

      The teamviewer account just lets you log in to "your account" which stores a list of teamviewer "IDs" for computers you connect to frequently, and optionally stored passwords, friendly names for the ids, etc...

      In other words, TFA doesn't have to be defeated to connect to a teamviewer machine at least in its default configuration.

      So... if there's an exploit where they can beat the random 4 digit code (when TV is running 'session') or the random 6 alpha when unattended is setup, then they bypass TFA.

      Remember, most of the "hacking" reports show the attacker as NOT being connecting as "themselves"; so they may have a way into the machines, even without breaking into the TV accounts.

  3. I could never get up the courage... by Anonymous Coward · · Score: 1

    ... to install TV. Great reviews. Broad support. Free. But sh~t like this always seemed a risk.

  4. This has been going on for a while... by 00Monkey · · Score: 4, Interesting

    Back in February, I had Team Viewer running 24/7 on an Ubuntu Desktop. I had a "strong" password, using letters, numbers and symbols. I was at a customer site installing a new Asterisk phone system and suddenly I get notifications from Paypal that I'm buying large amounts of virtual currency with NCSoft. It took me all of 5 minutes to realize what was happening and change my Paypal password and in that time, several grand was spent. It took me a week to get it all fixed, which isn't that bad.

    Team Viewer Support couldn't care less. I asked why they wouldn't even notify on an account that's never been accessed from outside the country and they had no answers. Now, what could I have done better? Setup Multi-Factor Authentication for Team Viewer and Paypal. So, some of the responsibility is mine. However, I find it very strange that someone could have hacked or guessed that account's password. I asked if they had a breach and they reported that there were no problems, of course. Notification and confirmation of suspicious activity should have been implemented by them a long time ago.

    1. Re:This has been going on for a while... by ledow · · Score: 3, Insightful

      They don't need to have had a breach, as such, for the software to have been compromised in some way. Even a protocol flaw, or a plain-text-password-sniff or all kinds of things. Even a virus on a machine that you've logged on FROM.

  5. Relevant subreddit with the reports... by Anonymous Coward · · Score: 5, Informative

    https://www.reddit.com/r/teamviewer

    1. Re:Relevant subreddit with the reports... by ZiakII · · Score: 1

      Now Clickable...

      https://www.reddit.com/r/teamviewer

  6. The users often ARE at fault by damn_registrars · · Score: 2

    Consider how many people use auto-login for all sorts of things in their web browser. If you can log in to their system as their user, and access their web browser, you will almost certainly be able to access some of their accounts. No amount of teamviewer security can offset user laziness.

    --
    Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
  7. That's funny by freak0fnature · · Score: 3, Interesting

    The fact that they allow users to download old versions of TeamViewer is 1/2 the problem. I entertained a call from someone who was likely Pakistani that asked me to install an old version of TeamViewer from their website. Though I got on Linux and tried to follow their instructions...they didn't know what Linux was. I succeeded in wasting 30 minutes of their time.

    1. Re:That's funny by QA · · Score: 1

      The problem is licensing. I have a 3 channel corporate license for...TV 8... So, what they do is try and get you to upgrade to a higher version.... ESPECIALLY sneaky is the window that pops up "There is a newer version etc etc" and prompt you to install it.

      I tried this once and received the message "your license does not support this version". The client now has a setting where you can tell it not to notify you of updates unless within the major version of your license. I believe so many people got screwed by updating and then having a non functional license that they HAD to add this.

      IIRC my corporate license was somewhere between $3000.00 and $5000,00 CAD dollars and they wanted over half that again to enable my license for version 11.

  8. Chrome plugin asinine defaults to allow remote by Zappy · · Score: 2

    Chrome TV plugin asinine defaults to allow remote without password. Add to that plugin installs are synced you could have TV installed on a pc without realising it. Defaulting to *allow* remote access.

  9. I kinda believe them... by wbr1 · · Score: 1
    Here is why.
    I work for a small IT shop/MSP. We use logic now/GFI tools to manage machines. The bukt in remote tool is called TakeControl, but is simply a slightly modified TeamViewer. The client and board backend negotiate a regularly changing passphrase for remote access, it is out of user control. The rest of the protocol and software is the same.

    We have not yet had a single one of our managed PCs or servers report any activity like this. If there was a breach at Teamviewer, Takecontrol enabled computers managed by MSPs are often small/mid sized businesses and make a much juicer target. The passwords to connect to these machines would exist in teamviewers infrastructure the same as anyone elses.

    --
    Silence is a state of mime.
  10. Two factor, etc. by DrYak · · Score: 2

    At least some "stupid-mitigiation" could have helped.

    Things like two factor auth (user still uses stupid password, but also needs token given by smart-phone app, or recieved by 2nd channel)

    Or things like public-key authentication (stupid password is used to unlock locally stored file with cryptographic key. Key is only used to sign stuff over wire)

    In both case, even in the case of a massive leak (e.g.: like recent LinkedIn's) the stolen passwords can't be used alone to impersonate user identity.
    (either an extra token would be needed in addition. Or a file containing the cryptographic key. Both of which stay in the possession of the end-user and never travel the wire).

    But no, companies still continue to recommend "secure" passwords.
    (Which can still be mitigiated using a decent password manager).

    --
    "Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
    1. Re:Two factor, etc. by moronoxyd · · Score: 2

      Things like two factor auth (user still uses stupid password, but also needs token given by smart-phone app, or recieved by 2nd channel)

      [snip]

      But no, companies still continue to recommend "secure" passwords.
      (Which can still be mitigiated using a decent password manager).

      Fun fact: TeamViewer supports TFA for several years now.
      But if people don't use it and instead reuse the same passwords for TV as for other services...

  11. Not buying it. by Olmy's+Jart · · Score: 5, Insightful

    I'm not buying Team Viewers explaination one bit. I know the individual in this article. He's a fellow security expert with whom I've worked. He's no security slouch, quite the opposite in fact. He caught the attackers in the act (yeah, he got lucky there) and took action as it unfolded before his eyes. Team Viewer has some serious 'splainen to do...

    https://securityintelligence.c...

    1. Re: Not buying it. by Anonymous Coward · · Score: 2, Insightful

      He admits to reusing his one password between team viewer and numerous websites.

      That is a pretty huge slouch for a security expert, and even a fairly nice sized face palm for a regular user.

    2. Re:Not buying it. by Anonymous Coward · · Score: 1

      Do you mean the security expert that is reusing the same password across different services?

      He implies that in his article:

      I hadn't really used TeamViewer in a long time and had actually forgotten that it was installed on multiple systems. Then I remembered that I recently changed a few passwords in response to the LinkedIn compromise.

      For the time being, take some recommendations from the story of how I almost got hacked:

      • Do not reuse passwords between applications.
      • Ensure your passwords are unique to each system.

       

    3. Re:Not buying it. by EETech1 · · Score: 1

      I just showed up as being in the LinkedIn and MySpace hacks and I've gotten some messages in my email that someone failed logging in to LogMeIn. I have a gmail that is just my last name, so I get everyone who is too stupid to know their own email using mine, and I remember someone signing up for LogMeIn using my email (oh the fun I could have had) so it is quite a coincidence I showed up on have I been pawned, and got failed login attempts on LogMeIn from two different parts of the world virtually simultaneously.

    4. Re:Not buying it. by Anonymous Coward · · Score: 1

      Not much of a security expert if he lets closed-source software have constant full access to his computer.

    5. Re: Not buying it. by MSG · · Score: 1

      Yeah he's no slouch, but he acknowledges that the attack probably used a password that leaked and wasnt changed. So, there's nothing to see here...

  12. Alternatives? by tindur · · Score: 2

    Are there any free (libre) alternatives to Team viewer?

    1. Re:Alternatives? by Anonymous Coward · · Score: 1

      Yeah dude, VNC's been around since forever.

    2. Re:Alternatives? by 93+Escort+Wagon · · Score: 3, Informative

      Yeah dude, VNC's been around since forever.

      And VNC's security is next to trivial to compromise.

      If you're going to use VNC, run it through ssh or openvpn - and only allow access that way. Keep the VNC ports themselves closed.

      --
      #DeleteChrome
    3. Re:Alternatives? by 93+Escort+Wagon · · Score: 1

      Alternative suggestions?

      I haven't used this in a few years, but - for Linux boxes, I found xrdp to perform much, much better than vnc.

      I am not particularly knowledgable regarding xrdp's security track record, though.

      --
      #DeleteChrome
    4. Re:Alternatives? by Antique+Geekmeister · · Score: 1

      For _X_ based access, namely for Linux based servers and remote shared or graphical sessions from other platforms, I've found the NoMachine software from www.nomachine.com to work very well. There are older free software versions of it, such as "freenx", and very good demo versions of it. Commercial use and support requires rather expensive commercial licenses, but the quality of the software has been very good. It's well supported, the free clients work very well with the commercial servers, and they've earned my confidence in their commercial support.

      It's also effective to use the free versions as a demo, and buy the commercial license when satisfied with the demo. I do _not_ encourage commercial use of hte demo, that's a license violation and discourages good developers trying to sell their work.

    5. Re:Alternatives? by Darinbob · · Score: 1

      TeamViewer works, is easy to use, and from all accounts other than Reddit, secure. People who complain about losing money on paypal are probably not security experts as security experts wouldn't put their own money in paypal.

    6. Re:Alternatives? by jittles · · Score: 1

      Are there any free (libre) alternatives to Team viewer?

      Yes. I am really surprised that anyone uses these services. You could try OpenVPN and Remote Desktop Protocol or VNC. You can also use SSH port forwarding to use RDP or VNC through an SSH connection. It's all trivial.

    7. Re:Alternatives? by jittles · · Score: 1

      TeamViewer works, is easy to use, and from all accounts other than Reddit, secure. People who complain about losing money on paypal are probably not security experts as security experts wouldn't put their own money in paypal.

      Why do security experts use TeamViewer when there are free and better ways to provide the same service yourself?

  13. have to agree by luther349 · · Score: 1

    dont leave team viewer running unless you plain on using it your just leaving a door open. just like any other vnc. dont let anyone in with any 3rd party app unless you trust them. tech support of any kind will never cold call you. its very simple things hear and you will have no problems.

    1. Re:have to agree by Darinbob · · Score: 1

      I have trouble imagining any situation where you might want to keep TeamViewer open and active, unless the guy pretending to be microsoft support asked you to. And a situation of leaving TeamViewer open, active, and *unattended* seems bizarre. I could possibly imagine remote control IT support, but that sounds like a badly run company to me; if you can't see your own IT support then what assurance do you have that IT even knows or cares about you, but even a remote control IT support would turn off TeamViewer as often as possible, would know not to use the same password everywhere, etc. (sounds like maybe too many people outsource stuff)

    2. Re:have to agree by hairyfeet · · Score: 1

      The problem is the latest updates to TV default to have it running as a Windows service 24/7 which is why I had my customers uninstall it, if they need remote support they can install it just long enough for me to fix the issue and then uninstall.

      So yeah...this is 100% TV's fault, they are the ones that chose the boneheaded move of making their defaults "run 24/7" and obviously with THIS many reported break ins? Yeah don't give me that "reused passwords" bullshit as those passwords have been in the wild for many months yet only NOW does it happen, and happen en masse? Yeah someone found a TV exploit and pwned their asses HARD and now they are playing the time honored game of CYA. I expect them to be sued out of business any day now.

      --
      ACs don't waste your time replying, your posts are never seen by me.
  14. And VNC does a small fractiof what Teamviewer does by Dr.+Evil · · Score: 1

    It will give you a remote session. Provided:
    - You open a hole in your firewall
    - You have a dynamic DNS service
    - You don't mind sending username/password, and your entire session in the clear
    - You don't mind the performance

    These issues are amplified if you're helping somebody over the phone.

    As far as I know, there are no free (libre) alternatives to Teamviewer.

  15. Here's how it works by golgotha007 · · Score: 1

    There are hundreds of millions of username/password combinations, stolen from lots of different websites that have been breached over the years. A person(s) or group(s) with this collection decides to target teamviewer users, especially after learning that teamviewer doesn't require their users to enable 2FA. Of course, 99.99% of all the accounts in the huge list will fail (user doesn't exist, wrong password, etc.). But, it doesn't cost any money to continually bang on teamviewer servers looking for username/password combos that work - this part is automated and being done from thousands of computers all at the same time (essentially a botnet). They take the list of successful user/pass combos and give it to a group of people determined to transfer paypal, buy gift cards, anything that will let them infiltrate money by taking control of that user account.
    Who is at fault? Teamviewer doesn't deserve to walk from this completely free of blame. They should have required 2FA for accounts that allow for remote session activity. In addition, they should have noticed huge spikes of bad user/pass combos being tried on their servers.
    Unfortunately, the majority of the blame lay with poor security decisions made by users. Any critical account (like remote access or anything related to money) should be protected by a unique strong password and 2FA (when available).
    This is just the beginning folks. We're going to see more and more of these types of attacks.

  16. Re:And 2FACTOR FAILS by sabbede · · Score: 1

    How so? I haven't had any issues with it myself. I log in from an unknown computer and get prompted for the code sitting in Google Authenticator. Am I missing something?