TeamViewer Denies Being Hacked, Blames Users, Introduces New Security Measures

Mark Wilson writes: In the last couple of weeks there have been a huge number of reports from TeamViewer users that their computers have been hijacked. In addition to this, users of the remote access tool have complained of funds being extracted from PayPal and bank accounts. But TeamViewer insists that there has not been a security breach, instead shifting the blame to users.

The company says [users] are in the habit of reusing the same passwords for a number of apps and services. It suggests that recent high profile security breaches -- such as the password dumps from MySpace and LinkedIn -- have allowed cyber criminals to learn TeamViewer log in credentials.
"We are appalled by the behaviour of cyber criminals, and are disgusted by their actions towards TeamViewer users," reads the company's statement. But they will now notify users whenever a new device logs in to a TeamViewer account, and in the future will also require a new password whenever suspicious account activity is detected.

Two factor, etc.

[DrYak]

At least some "stupid-mitigiation" could have helped.

Things like two factor auth (user still uses stupid password, but also needs token given by smart-phone app, or recieved by 2nd channel)

Or things like public-key authentication (stupid password is used to unlock locally stored file with cryptographic key. Key is only used to sign stuff over wire)

In both case, even in the case of a massive leak (e.g.: like recent LinkedIn's) the stolen passwords can't be used alone to impersonate user identity.
(either an e

Re:

[moronoxyd]

Things like two factor auth (user still uses stupid password, but also needs token given by smart-phone app, or recieved by 2nd channel)

[snip]

But no, companies still continue to recommend "secure" passwords [dilbert.com].
(Which can still be mitigiated using a decent password manager).

Fun fact: TeamViewer supports TFA for several years now.
But if people don't use it and instead reuse the same passwords for TV as for other services...

Duplicate?

[CaptainDork]

https://news.slashdot.org/stor... [slashdot.org]

Wish it was that simple

[Anonymous Coward]

But people are reporting unique, long passwords on their TV accounts being useless. And at least one case where a person was able to login to a PC even through 2FA authentication.

Either this is just a wide configuration error in the TV client made by unknowing users, or someone is lying.

Re:

[slaker]

Is that the IBM employee who was whining about it on Reddit? Instead of, I don't know, an official IBM channel?

Re:

[Anonymous Coward]

So is two factor authentication authentication (2FA authentication) the same as three factor authentication? Perhaps if they added the use of a PIN number it would be better better.

Re:

[Darinbob]

I use teamviewer. But there's no password. What does having an account get you that you don't get with the free version?

Re:

[vux984]

And at least one case where a person was able to login to a PC even through 2FA authentication.

I use teamviewer a lot. I don't use 2FA with it. Check this out:

Does 2FA apply when logging into the teamviewer account? It looks like it does!

Or does it apply when connecting to an teamviewer in unattended mode? It looks like it doesn't.

I mean, check this out.

https://www.turnon2fa.com/tuto... [turnon2fa.com]

Check out "step 7" where they show it asking for the 2FA "Enter your security code" (on the right panel). So he's not signed into his teamviewer account yet.

But I expect you can remote into the PC; if you have his team

I could never get up the courage...

[Anonymous Coward]

... to install TV. Great reviews. Broad support. Free. But sh~t like this always seemed a risk.

This has been going on for a while...

[00Monkey]

Back in February, I had Team Viewer running 24/7 on an Ubuntu Desktop. I had a "strong" password, using letters, numbers and symbols. I was at a customer site installing a new Asterisk phone system and suddenly I get notifications from Paypal that I'm buying large amounts of virtual currency with NCSoft. It took me all of 5 minutes to realize what was happening and change my Paypal password and in that time, several grand was spent. It took me a week to get it all fixed, which isn't that bad.

Team Viewer Support couldn't care less. I asked why they wouldn't even notify on an account that's never been accessed from outside the country and they had no answers. Now, what could I have done better? Setup Multi-Factor Authentication for Team Viewer and Paypal. So, some of the responsibility is mine. However, I find it very strange that someone could have hacked or guessed that account's password. I asked if they had a breach and they reported that there were no problems, of course. Notification and confirmation of suspicious activity should have been implemented by them a long time ago.

Re:This has been going on for a while...

[ledow]

They don't need to have had a breach, as such, for the software to have been compromised in some way. Even a protocol flaw, or a plain-text-password-sniff or all kinds of things. Even a virus on a machine that you've logged on FROM.

Relevant subreddit with the reports...

[Anonymous Coward]

https://www.reddit.com/r/teamviewer

Re:

[ZiakII]

Now Clickable...

https://www.reddit.com/r/teamviewer [reddit.com]

The users often ARE at fault

[damn_registrars]

Consider how many people use auto-login for all sorts of things in their web browser. If you can log in to their system as their user, and access their web browser, you will almost certainly be able to access some of their accounts. No amount of teamviewer security can offset user laziness.

That's funny

[freak0fnature]

The fact that they allow users to download old versions of TeamViewer is 1/2 the problem. I entertained a call from someone who was likely Pakistani that asked me to install an old version of TeamViewer from their website. Though I got on Linux and tried to follow their instructions...they didn't know what Linux was. I succeeded in wasting 30 minutes of their time.

Re:

[QA]

The problem is licensing. I have a 3 channel corporate license for...TV 8... So, what they do is try and get you to upgrade to a higher version.... ESPECIALLY sneaky is the window that pops up "There is a newer version etc etc" and prompt you to install it.

I tried this once and received the message "your license does not support this version". The client now has a setting where you can tell it not to notify you of updates unless within the major version of your license. I believe so many people got screwed

Chrome plugin asinine defaults to allow remote

[Zappy]

Chrome TV plugin asinine defaults to allow remote without password. Add to that plugin installs are synced you could have TV installed on a pc without realising it. Defaulting to *allow* remote access.

I kinda believe them...

[wbr1]

Here is why.
I work for a small IT shop/MSP. We use logic now/GFI tools to manage machines. The bukt in remote tool is called TakeControl, but is simply a slightly modified TeamViewer. The client and board backend negotiate a regularly changing passphrase for remote access, it is out of user control. The rest of the protocol and software is the same.

We have not yet had a single one of our managed PCs or servers report any activity like this. If there was a breach at Teamviewer, Takecontrol enabled co

Not buying it.

[Olmy's Jart]

I'm not buying Team Viewers explaination one bit. I know the individual in this article. He's a fellow security expert with whom I've worked. He's no security slouch, quite the opposite in fact. He caught the attackers in the act (yeah, he got lucky there) and took action as it unfolded before his eyes. Team Viewer has some serious 'splainen to do...

https://securityintelligence.c... [securityintelligence.com]

Re: Not buying it.

[Anonymous Coward]

He admits to reusing his one password between team viewer and numerous websites.

That is a pretty huge slouch for a security expert, and even a fairly nice sized face palm for a regular user.

Re:

[Anonymous Coward]

Do you mean the security expert that is reusing the same password across different services?

He implies that in his article:

I hadn't really used TeamViewer in a long time and had actually forgotten that it was installed on multiple systems. Then I remembered that I recently changed a few passwords in response to the LinkedIn compromise.

For the time being, take some recommendations from the story of how I almost got hacked:

• Do not reuse passwords between applications.
• Ensure your passwords are unique to each s

Re:

[EETech1]

I just showed up as being in the LinkedIn and MySpace hacks and I've gotten some messages in my email that someone failed logging in to LogMeIn. I have a gmail that is just my last name, so I get everyone who is too stupid to know their own email using mine, and I remember someone signing up for LogMeIn using my email (oh the fun I could have had) so it is quite a coincidence I showed up on have I been pawned, and got failed login attempts on LogMeIn from two different parts of the world virtually simultan

Re:

[Anonymous Coward]

Not much of a security expert if he lets closed-source software have constant full access to his computer.

Re: Not buying it.

[MSG]

Yeah he's no slouch, but he acknowledges that the attack probably used a password that leaked and wasnt changed. So, there's nothing to see here...

Alternatives?

[tindur]

Are there any free (libre) alternatives to Team viewer?

Re:

[Anonymous Coward]

Yeah dude, VNC's been around since forever.

Re:Alternatives?

[93 Escort Wagon]

Yeah dude, VNC's been around since forever.

And VNC's security is next to trivial to compromise.

If you're going to use VNC, run it through ssh or openvpn - and only allow access that way. Keep the VNC ports themselves closed.

Re:

[93 Escort Wagon]

Alternative suggestions?

I haven't used this in a few years, but - for Linux boxes, I found xrdp to perform much, much better than vnc.

I am not particularly knowledgable regarding xrdp's security track record, though.

Re:

[Antique Geekmeister]

For _X_ based access, namely for Linux based servers and remote shared or graphical sessions from other platforms, I've found the NoMachine software from www.nomachine.com to work very well. There are older free software versions of it, such as "freenx", and very good demo versions of it. Commercial use and support requires rather expensive commercial licenses, but the quality of the software has been very good. It's well supported, the free clients work very well with the commercial servers, and they've ea

Re:

[Darinbob]

TeamViewer works, is easy to use, and from all accounts other than Reddit, secure. People who complain about losing money on paypal are probably not security experts as security experts wouldn't put their own money in paypal.

Re:

[jittles]

TeamViewer works, is easy to use, and from all accounts other than Reddit, secure. People who complain about losing money on paypal are probably not security experts as security experts wouldn't put their own money in paypal.

Why do security experts use TeamViewer when there are free and better ways to provide the same service yourself?

And VNC does a small fractiof what Teamviewer does

[Dr. Evil]

It will give you a remote session. Provided:
- You open a hole in your firewall
- You have a dynamic DNS service
- You don't mind sending username/password, and your entire session in the clear
- You don't mind the performance

These issues are amplified if you're helping somebody over the phone.

As far as I know, there are no free (libre) alternatives to Teamviewer.

Re:

[jittles]

Are there any free (libre) alternatives to Team viewer?

Yes. I am really surprised that anyone uses these services. You could try OpenVPN and Remote Desktop Protocol or VNC. You can also use SSH port forwarding to use RDP or VNC through an SSH connection. It's all trivial.

have to agree

[luther349]

dont leave team viewer running unless you plain on using it your just leaving a door open. just like any other vnc. dont let anyone in with any 3rd party app unless you trust them. tech support of any kind will never cold call you. its very simple things hear and you will have no problems.

Re:

[Darinbob]

I have trouble imagining any situation where you might want to keep TeamViewer open and active, unless the guy pretending to be microsoft support asked you to. And a situation of leaving TeamViewer open, active, and *unattended* seems bizarre. I could possibly imagine remote control IT support, but that sounds like a badly run company to me; if you can't see your own IT support then what assurance do you have that IT even knows or cares about you, but even a remote control IT support would turn off TeamV

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[sabbede]

How so? I haven't had any issues with it myself. I log in from an unknown computer and get prompted for the code sitting in Google Authenticator. Am I missing something?

Here's how it works

[golgotha007]

There are hundreds of millions of username/password combinations, stolen from lots of different websites that have been breached over the years. A person(s) or group(s) with this collection decides to target teamviewer users, especially after learning that teamviewer doesn't require their users to enable 2FA. Of course, 99.99% of all the accounts in the huge list will fail (user doesn't exist, wrong password, etc.). But, it doesn't cost any money to continually bang on teamviewer servers looking for usernam