back to article TeamViewer denies hack after PCs hijacked, PayPal accounts drained

TeamViewer users say their computers were hijacked and bank accounts emptied all while the software company's systems mysteriously fell offline. TeamViewer denies it has been hacked. In the past 24 hours, we've seen a spike in complaints from people who say their PCs, Macs and servers were taken over via the widely used remote …

  1. Destroy All Monsters Silver badge
    Terminator

    Rise of the Machines?

    Unless there is a huge building with what could only be called an "uncalled-for center" able to commandeer a sizeable number of machines, I suspect the Rise of the Machines has finally begun!

    1. hellwig

      Re: Rise of the Machines?

      Well, sorry to disagree, but I'm guessing it is just humans.

      Some criminal enterprises in generally poor countries have warehouses filled with people who do nothing but guess CAPTCHAs, weed through discarded mail, or anything else that's done efficiently by large groups of easily exploitable people.

      1. This post has been deleted by its author

      2. This post has been deleted by its author

        1. Anonymous Coward
          Anonymous Coward

          Re: Rise of the Machines?

          Sounds pretty bad indeed. If it looks like a breach, smell like a break, squeals like a breach, then...

          Actually I hadn't heard of TeamViewer until this lunch time. A colleague was telling me how useful they found it for sorting out their relatives' PCs, etc. Hopefully they've escaped unharmed...

          I was quite tempted to give it the once over, see how good it looked. Funnily enough I'm not quite so keen now...

          1. Anonymous Coward
            Anonymous Coward

            Re: Rise of the Machines?

            It's quite a useful tool, but I've always uninstalled it between uses. Generally leery of remote anything software.

          2. jonathanb Silver badge

            Re: Rise of the Machines?

            The free version is probably safe. The relative needs to run the software and read out a code over the phone to enable access, and likely won't leave it running all the time.

        2. This post has been deleted by its author

  2. ma1010
    WTF?

    Bad idea

    And with this sort of thing going on via Internet, pundits think we should hook all our "smart home" systems, including home security systems, up to the "Internet of Things"?

    I think I'll pass, thanks.

    1. PC Paul

      Re: Bad idea

      The Internet of Thugs

      1. SonnyBurnett

        Re: Bad idea

        Like the Mayor of Baltimore says: "Give them room to hack!"

    2. Anonymous Coward
      Anonymous Coward

      "I think I'll pass, thanks."

      "how can companies change this lack of knowledge into real know-how?”

      http://forums.theregister.co.uk/forum/1/2016/06/01/brits_dont_want_their_homes_to_be_techtastic/

      Apparently its due to your lack of knowledge, can you believe that???...

      I disconnected a bunch of Western Digital NAS before really nasty crap started happening (a good thing anyway as they all died within 18 months... Fuck WD)... But with so many downvotes for IoT in every thread... Whose buying this crap, the industry should be on its knees...

      1. chivo243 Silver badge

        Re: "I think I'll pass, thanks."

        @AC

        "Whose buying this crap?"

        Soccer moms, 20 somethings with disposable income, total maximum zoomdweebies and maybe one or two people that know how to secure their gear...

    3. Andrew Moore

      Re: Bad idea

      That's the total reason why I have zero interest in IoT.

      1. Anonymous Coward
        Anonymous Coward

        Re: Bad idea

        Unfortunately the IoT has interest in YOU!

        And we are not even in Soviet Britain yet. Getting there slowly, unfortunately.

  3. Mark Eaton-Park

    Well duh

    remote admin accessible via the internet, good plan

    1. razorfishsl

      Re: Well duh

      There is something far more dangerous than "teamviewer" floating about.

      it is called "QQ" yep that Chinese "conferencing app".

      it has the capability to port skip and tunnel through fairly much any security/firewall.

      oh...... and it comes with a "remote control" function, that allows ANYONE to give access to ANY outside users for remote control of their system.

      Think disgruntled EX-employees with FULL access to your corporate systems, external software "support" companies. etc

      1. Anonymous Coward
        Anonymous Coward

        Re: Well duh

        Microsoft have something similar, called Skype!!!

      2. Mpeler
        Facepalm

        Re: Well duh

        Could be Micro$oft again with their Win 1 0 updates, gone wrong...

        (or who knows what they're after, maybe taking a short-cut and draining

        folks' bank accounts, as that's what they want anyway - total control).

    2. Just Enough

      Re: Well duh

      Saved your paypal password on your browser? Another good plan!

    3. Pen-y-gors

      Re: Well duh

      Hmmmm....if you actually NEED remote access (and there are many occasions when people do) how would you do it WITHOUT using the internet? Radio? Snail-mail? Telepathy?

      1. Fatman
        Joke

        Re: Well duh

        <quote>,,,how would you do it WITHOUT using the internet?</quote>

        Ever heard of dial up????

        1. Anonymous Coward
          Anonymous Coward

          Re: Well duh

          I know it's old-school and decidedly not-cloudy but VNC and a bit of firewall know-how goes a long way, far enough that the entry password is stored only on machines that belong to you... what a concept.

  4. Tezfair
    Unhappy

    Happened last week

    Client of mine said she had a pop up appear and got in touch so it's been happening for at least the last 6 days.

    1. Cynical Observer
      Thumb Down

      Re: Happened last week

      Likewise here

      Do my best to keep the parents out of trouble and used Teamviewer heavily for that purpose.

      They reported random activity last week which had them power the machine down double quick and take it to a local PC shop for a once over. No discernible nasties found.

      But with this story, suddenly things make a bit more sense. Just been through 15 minutes of torture trying to take them through uninstalling Teamviewer for now.

      ARSE!

      1. Anonymous Coward
        Anonymous Coward

        Re: Happened last week

        Lucky you. My parents would probably go "that's weird, the Microsoft moves by itself" and possibly "there is nothing worth stealing on that machine anyway" (except it is used for banking) before leaving the machine chug along unattended.

        1. cbars Bronze badge

          Re: Happened last week

          Firstly, couldn't you have connected via team viewer and uninstalled it? They could just click the OK buttons once you started the process.

          Secondly, come on! Install an SSH server on their box, or, better, on yours and get their machine to call yours so they don't need an open firewall. Reverse tunnel! Woo!

          1. asdf

            Re: Happened last week

            OpenSSH (and it's ilk) isn't exactly free of CVEs either and enabling X11 forwarding does significantly increase your attack surface. Granted though that is whole different league of (much smaller) risk compared to running team viewer on a windows machine logged in as a user with admin privileges.

            1. Anonymous Coward
              Anonymous Coward

              Re: Happened last week

              OpenSSH (and it's ilk) isn't exactly free of CVEs either ...

              That's surprising. Are you meaning current (eg up to date) OpenSSH, or just talking about people using older versions?

              If you're meaning current OpenSSH, please point out the CVE's applicable to it, as there shouldn't be any:

              https://www.cvedetails.com/product/585/Openbsd-Openssh.html?vendor_id=97

              1. asdf

                Re: Happened last week

                Yes referring to the past including the one big remote hole in past for the OpenBSD base (plus noticed a binpatch recently for OpenSSH). Just stating the obvious that any remote solution is going to have some security risk. OpenSSH probably still has some zero days today just like it has had in the past.

    2. Anonymous Coward
      Anonymous Coward

      Re: Happened last week

      A friend got hacked and various purchases were made via Amazon. TeamViewer, Amazon, the bank and the Police all declined to get involved saying it was the friend's fault.

      1. This post has been deleted by its author

  5. Kernel

    Teamviewer is configurable

    There are two simple ways to combat this problem:

    i) Only run TV when needed for a remote connection.

    ii) Configure TV so that not only do remote connections have to be approved on request, but remote control has to be manually granted as well.

    Admittedly these precautions mean TV can't be set up for unattended use, but any software that allows unattended 24x7 access with remote control is going to be a security threat - when, not if.

    1. Dan 55 Silver badge

      Re: Teamviewer is configurable

      I haven't allowed remote access with a password on any friends' or family's computer either. If I need to remote in ask them for their user ID and PIN while I'm talking to them on the phone anyway.

    2. Anonymous Coward
      Anonymous Coward

      Re: Teamviewer is configurable

      The TV is running effing services on the background even when you don't use it. I got the 'portable' version of this sh*t just to help friends remotely.

      As for my machine? VNC or SSH no way to use that crap TV service.

  6. ecofeco Silver badge

    Sounds like bad config to me

    I've used TemaViewer. A lot. SOP was to lock down the application. Once with password access for remote connection and second with a different password for config changes to the application itself and then manual approval by end user when activated for connection.

    TeamViewer is set to all access and no password required by default although it does ask for this during installation, but it's optional. Sounds like someone figured this out and just trawled IPs.

    1. Richard Boyce

      Re: Sounds like bad config to me

      I suspect the same. You can protect your account with a strong password and two-factor authentication, but that doesn't protect the computers, which can be reached without knowing which account, if any, they belong to.

      Getting through two-factor authentication that's protecting the account requires the private key, unless the criminals have found a weakness in TeamViewer's site that allows the need for that to be bypassed. I would hope that TeamViewer does not keep a copy of that private key.

      Always make sure that no computer can be accessed without a good password, even if your account is compromised. That password should not be known by TeamViewer or anyone else, so should be different to the password protecting the account. Additionally, disallow the use of PINs.

      Finally, there's always a possibility of a vulnerability in the software itself, so keep it up-to-date, and don't have it running without a good reason.

    2. Anonymous Coward
      Anonymous Coward

      Re: Sounds like bad config to me

      That's not correct - TeamViewer always enables a password by default, and it's not possible to connect to another computer without a password. And hackers are not trawling IPs - that wouldn't work anyway, as TeamViewer uses a unique ID, not an IP address, to connect. Trawling IPs wouldn't tell a hacker what your TeamViewer ID was.

      The real problem is users who use the same password on their TeamViewer account as on other web services which have had their user data stolen by hackers (eg. Adobe etc). You can use a service like https://haveibeenpwned.com to check if your email address has been stolen from another web site.

      1. Cynic_999

        Re: Sounds like bad config to me

        "

        The real problem is users who use the same password on their TeamViewer account as on other web services

        "

        Not sure I see that as a feasible attack vector. How would the attacker be able to marry any of the passwords to the TV I.D.? It's not as if you would use the TV "partner ID" anywhere else, so if someone had found my password because I re-used it on a web site, they would not know what TV host it belonged to.

        1. fajensen

          Re: Sounds like bad config to me

          Not sure I see that as a feasible attack vector. How would the attacker be able to marry any of the passwords to the TV I.D.?

          We know the mail address, now we know some passwords going with that mail address from hacked web sites.

          Try if one of these works on web-mail for the mail address (everyone has web-mail, right?), if it does work then request a TV password reset, grab the new login from mail, set TV profile to what you need, now log in to users computer via TeamViewer?

  7. Jim Willsher

    It's been happening for at least a fortnight - a friend of mine had it happen to him. I know he has a secure password (11 characters, mixed case, symbols) but he noticed in the morning that user X_X_X_X_X_X_X_X_X had connected and transferred files from his computer. I contacted TeamViewer and I received a stock answer about security.

    1. ecofeco Silver badge

      I just read the article updates. This is not good. It will be interesting to see the final analysis.

  8. Anonymous Coward
    Anonymous Coward

    So Teamviewer are still at the first stage of denial.

    So much liability for them to dodge, I bet that a crack team of PR consultants are not going to get much sleep tonight, wonder how it'll be spun by the morning.

    Its pretty funny that teamviewer's PR cannot decide at this stage whether to send people to this link:

    https://www.teamviewer.com/en/company/press/statement-on-the-appearance-of-the-windows-trojan-backdoor-teamviewer-49

    or this one:

    https://www.teamviewer.com/en/company/press/statement-on-potential-teamviewer-hackers

    Maybe a time out and group hug is in order? Then at least get a story to stick to.

    1. asdf

      still

      If I was an network enterprise admin though I would probably be looking for outbound connections to Teamviewer's servers and blocking those for now (after of course making sure no one in the C-Suite is using it lol).

      1. Kernel

        Re: still

        "If I was an network enterprise admin though I would probably be looking for outbound connections to Teamviewer's servers and blocking those for now...."

        Probably just as well you aren't then - outbound connections to TV's servers are the only sort permitted by our approved enterprise setup.

        1. Bloakey1

          Re: still

          "Probably just as well you aren't then - outbound connections to TV's servers are the only sort permitted by our approved enterprise setup."

          Agreed. Inbound and outbound blocked, Spotify etc.

    2. Destroy All Monsters Silver badge

      "The depicted scenario is a heinous abuse of TeamViewer’s software."

      Well, TeamViewer team says "Regular TeamViewer installations are not affected by this particular scam, and do not represent a security issue." so that statement is about something else.

    3. VinceH

      "wonder how it'll be spun by the morning"

      Not to worry. I expect if and when they do admit to being hacked, it will only have affected a small number of customers.

      And I expect it will have been done in some sophisticated way.

    4. streaky

      It's not as if nobody ever used a DDoS to hide some other attack. In fact it's been the modus operandi for multiple well-known groups it well-documented attacks for some time now. The fact TV don't know this concerns me greatly.

      They might genuinely not know; personally it feels like they need to revoke a lot of creds here. I just revoked all the auth for all the systems I have TV installed on but a lot of people might not be aware of the risk.

      1. Destroy All Monsters Silver badge
        Trollface

        Indeed. It has been the modus operandi since Neuromancer, when the Gang did a good one on Sense/Net...

  9. JLV
    Trollface

    Movie reviews, circa 2021

    """

    The Heist is a passable action movie, with Scarlett Johansson channeling Black Widow and Entrapment's buttock sequence very fetchingly.

    Unfortunately, the movie is none too credible otherwise. Would multiple millionaires have their security systems connected to the internet? And it also beggars belief that TeamLock, the vendor of that alarm system would design a system hackable by default. And then go on public record stating it wasn't their fault even as multiple clients get burglarized.

    So 2016.

    """

    Meanwhile - back in 2016 - if you have to use TeamViewer or the like, is it not a standard feature with that type of software to specifically have to activate/enable every time it before someone can remote in? Like, talk to your correspondent over the phone, activate it and then he/she can get in? After which you deactivate it again. As opposed to installing it with an always on setting? Would seem like a no-brainer, both on the feature existing and on making use of it.

    1. ecofeco Silver badge

      Re: Movie reviews, circa 2021

      Burning Chrome.

      1. Mpeler
        Angel

        Re: Movie reviews, circa 2021

        2022, and Elvis is back, FOR REAL!!!

        "Just a hunka-hunka burnin' Chrome, oh yeah"...

        1. Anonymous Coward
          Anonymous Coward

          Re: Movie reviews, circa 2021

          "Burning Firefox" just wouldn't have sounded punk enough.

  10. Rusty 1
    FAIL

    I mentioned in a comment on an earlier thread about how difficult it would be with typical domestic connectivity to be exposed to incoming threats, what with NAT and sensible router defaults.

    Now it is clear - I understand that people are installing waldos on their PCs left, right, and centre, and *trusting a third party* with authentication and access, to provide incoming access over established outbound connections to that third party, bypassing all natural security. And being surprised by the outcome. Oh ghod.

    There is always a weakest link. Doesn't matter who owns it, it's there. The more links, the more likely one is weaker that you might expect or like.

    1. Anonymous Coward
      Anonymous Coward

      Yep they might put lipstick on the p̶i̶g̶ rat, but it's still what it is.

  11. Doctor Syntax Silver badge

    Just say no.

    1. "Do you want $Browser to remember this password".

    2. Webmail?

    3. Cloud? You mean someone else's computer, completely out of your control?

    1. Sir Runcible Spoon

      Re: Just say no.

      re:#3 - I've given up trying to explain to people that 'The Cloud' is just a server someone else owns with no accountability to you.

      Now I just tell them that if they put something in the cloud, it's the same as leaving outside somewhere, hoping no-one happens along and decides to pick it up.

      If what they are storing has the same value as litter - then they should be good, otherwise please don't.

  12. Anonymous Coward
    Anonymous Coward

    But... TeamViewer doesn't *require* an account, does it?

    I use TeamViewer to support a small group of friends, neighbours, and remote sites.

    The group is sufficiently small that I don't need any of the "value added" features of a TeamViewer account, so I don't have a TeamViewer account. The more accounts I don't have, the safer I am (!).

    Am I the only person using it this way?

    Am I safe from this alleged exploit?

    Or is the alleged exploit elsewhere in the TeamViewer implementation, and the scattering of the words "TeamViewer account" is an unhelpful (and downright misleading) distraction?

    Your curious servant,

    TV21

    1. streaky

      Re: But... TeamViewer doesn't *require* an account, does it?

      You'd have to start by assuming the account-less auth is the one that's safe. There's no evidence either way honestly. People with account-based access still have their machines set up so they can be accessed by pin; it's entirely possible if there is an issue that this could be the real problem. Actually I'd personally wager this is the more likely threat given the alleged involvement of 2FA.

    2. Neil Barnes Silver badge

      Re: But... TeamViewer doesn't *require* an account, does it?

      I had the same kind of query: my parents have a teamviewer executable on their windows boxes which is fired up only when they are (by phone) talking to me, theoretically. Neither of us have a TV account, so every time it's used it's necessary for them to tell me the pass number.

      I'm assuming that when TV is closed, it's leaving nothing behind running?

      1. Alumoi Silver badge

        Re: But... TeamViewer doesn't *require* an account, does it?

        @Neil Barnes

        Yeap, nothing left behind except a service which is set to always run.

        No siree, nothing left behind.

        1. Adam JC

          Re: But... TeamViewer doesn't *require* an account, does it?

          That's 100% incorrect. If you use the one-shot 'QuickSupport' module, it's a self-contained EXE with no services installed. Infact the QuickSupport module doesn't even have the capability to be installed as a permanent service.

          1. Known Hero

            Re: But... TeamViewer doesn't *require* an account, does it?

            Or just use "run only" if you install it don't be surprised if there are services installed and ran on startup?

            If your going to bash people for running unnecessary crap, you could find much much worse than teamveiwer

            1. Anonymous Coward
              Anonymous Coward

              Re: But... TeamViewer doesn't *require* an account, does it?

              Q: Why use team viewer when MS offer a prefectly good "remote assistance" feature in Windows.

              Also, try radmin by famatech. One of the better remote access clients.

              Serious Q: Whats so appealing about team viewer???

              1. Anonymous Coward
                Anonymous Coward

                Re: But... TeamViewer doesn't *require* an account, does it?

                Not a professional, but...

                Most of the RDP/VNC variants don't work well between NATed environments. Not for free anyway. Or didn't last time I checked (a couple of years ago). No amount of fighting with port forwarding makes it any easier.

                There are/were a handful of third party offerings which provide an external service (probably should call it a cloud service this week) allowing *both* PCs in the picture to make outgoing connections and thus not having to fight against NAT, static IPs, etc. TeamViewer was the best fit I found when I was last looking for such a beast. Zero cost was a requirement at that time.

                For on-LAN use I'm quite happy with the VNC of the week.

                That's my excuse (I'm a home user with a handful of non-clued-up folks to support).

                I don't know what the excuse is from the professionals who are not troubled by trivia like NAT, dynamic IPs, etc.

  13. Anonymous Coward
    Anonymous Coward

    Teamviewer uninstalled

    Problem solved.

    1. Anonymous Coward
      Anonymous Coward

      Re: Teamviewer uninstalled

      might want to check your CC statements as well though.

  14. razorfishsl

    Their article claiming it is the users, is clearly very carefully worded.

    Teamviewer identifies & locates machines behind firewalls using DNS to their central servers.

    If you can repoint the DNS you can repoint the clients, their statement says nothing about the "infrastructure" being secure, only "teamviewer"

    You only have to stay in a Chinese hotel to see them injecting & redirecting URL's

    1. Anonymous Coward
      Anonymous Coward

      >You only have to stay in a Chinese hotel

      to realize your job sucks.

      1. Anonymous Coward
        Trollface

        I can only assume this is a play on the fact that - in many Chinese business hotels - the management turn a blind eye to ladies of ill repute slipping their cards under your door 10 minutes after you first check in.

        Next time, stay at a "Home Inn", they are very similar to an Ibis or Premier Inn, and I have never had the "Business Card" slipped under my door whilst staying at one.

      2. Anonymous Coward
        Anonymous Coward

        Nah - Chinese wimmen like elderly men with beard ... or maybe Chinese agents are paid to like et.cetera. Both works for me.

  15. Ebec
    WTF?

    keep getting odd emails from service@teamviewer.com

    for some reason i keep getting odd emails from service@teamviewer.com requesting to be added to

    " filling a name here " would like to add you as a contact in his/her TeamViewer contacts list.

    i've been using teamviewer for a fer years now but this has only started with in the last few months

    to be fair i just delete them as i've never ask them to contact me or add me to anyone that works for them

    i think may be i should give them a call about it as i've never asked them to contact me via email unless i've called in with a problem

    ( unless anyone else that uses teamviewer know if they are ok or not )

    1. Usamah

      Re: keep getting odd emails from service@teamviewer.com

      I've had quite a few of these email requests asking to be added as a Teamviewer friend, all of which were immediately deleted. If only Teamviewer users received such requests, this would raise further concerns about their security. On the other hand, if these emails are going to anyone regardless of whether they are signed up to Teamviewer, then it's just phishing.

  16. steamnut

    Amazing coincidence

    I just checked the TeamViewer website and there is a really strong denial on the home page and the company suggests that users should be careful with their passwords etc etc.

    They must be using Tony Blair's PR company as the coincidence and timing of the attacks is just too great to bat back to it's users.

    TeamvVewer now removed from all of my systems.....

  17. Anonymous Coward
    Anonymous Coward

    I feel like I want to be a hermit. I don't want to access the Internet any more. It seems the few nasties that exist around the world are the ones that are going to destroy things for others. I feel so sad for the future.

  18. Anonymous Coward
    Anonymous Coward

    How do they know their users are using passwords compromised on other sites unless they've got their own database unsalted and have done a text comparison against a list of breached passwords?

    Saying that, it is a very German thing to assume it's just "idiot" uses.

    1. Mpeler
      Headmaster

      "A very German thing"

      Team viewer was bought a while back by a British (locust) Investment Company. So it's not a German company anymore calling the shots, as it were... (though I suspect they may be drinking the shots right now).

  19. DrM
    FAIL

    S.O.P.

    Admit nothing. Deny everything. Make counter-accusations.

    1. Doctor Syntax Silver badge

      Re: S.O.P.

      "Admit nothing. Deny everything. Make counter-accusations."

      Which ought to result in punitive damages.

  20. Anonymous Coward
    Anonymous Coward

    pardon my ignorance but..

    I genuinely don't see the usage case for having a PC tunred on at 5am and connected to the internet when I'm at home, unless it were something like letting Steam download a large game overnight, perhaps. Why do people leave their PCs on and connected to the net when they're not actually using them? I turn mine off.

    What am I missing? ( aside from the tail end of the last century and the first chunk of this'un, I mean :-} )

    1. Adam JC

      Re: pardon my ignorance but..

      Teamviewer target market isn't people like you at home, it's marketed at business users and scores of enterprise PC's to allow easy remote management whether the user is there or not. Think call centre PC's that operate 24/7/365 that may require remote access at any point, etc :o)

    2. Known Hero

      Re: pardon my ignorance but..

      @Esme,

      Well cheers for clearing that up, it doesn't suit your needs so we may as well get rid of it all.

      Personally I find it quite useful to be able to remote into my dedicated server wherever I am (although my wife disagreed with that on her 30th) and fix issues from my mobile phone (I run multiple services), or for that matter any of my family who without fail call me multiple times during the week for support, it's simple to just log into my account and double click on their name, there is a use for this software & I am hoping to god it has only affected people with accounts rather than just installed copies of TV running in unattended mode.

      1. Anonymous Coward
        Anonymous Coward

        Re: pardon my ignorance but..

        @ Adam JC and Known Hero - I KNOW who Teamviewers main target audience is, thanks, very - we use it where I work (I have to use it to look at user desktops on an almost daily basis). And I've used VNC at home in the past. But in these very pages some have reported having fallen victim to the reported problem under circumstances that puzzled me. So I politely asked for enlightenment as to how that came to be. Giving a snarky answer to such a question is as stupid as it is impolite. Although granted, you HAVE then gone on to actually answer my question somewhat, KH, so thanks for that but (raspberry) for being a boor.

        And - bearing in mind I did indirectly allude to my innocence of such things, and I'm saying so explicitly now - runing what 'services' on your server? I genuinely do not know what sort of things one would have a home server accessible from the internet for and I'm curious. Yes, I have simply stuck to that tech I either needed/wanted myself or needed to understand for the various jobs I've had, and not much else. No, I've never needed to know anything about servers other than that they're what web pages and databases live on. :-} The only time I've gone out of my comfort zone with IT post the Amigas heyday was back when Windows 98SE pee'd me off so badly I looked for an alternative and found Linux, which I've used since.

        I very much hope you're not affected by the issues with TV, too!

        1. Known Hero

          Re: pardon my ignorance but..

          And the best of all this we've all kept this civil and avoided the downvote button. There is hope for humanity yet :)

          I keep getting tempted by the unix route, just havn't quite made it yet. last time I used nix was in 1999.

          I know most people will scorn what I use a dedicated server for but here goes: Teamspeak, Minecraft, Factorio, FTP & HTTP (private only), VPN'ish(if I can get the bloody thing to work damn you W10), fileshare & backups.

          The only reason i went Windows, was due to TS not having a server available for Nix, although that has now changed.... I'm now comfortable :/

          Although I think I misread your initial statement as well, I think you were referring to my cousin who leaves his computer on 24/7. I think much of it comes down to not having to pay for electricity, and that's about it.

          I guess it also why Americans leave TV's on even when they're not at home, it was a comfort thing.(source I story I read regarding the rolling blackouts they had a decade or so ago) Cant find the link

          1. Anonymous Coward
            Anonymous Coward

            Re: pardon my ignorance but..

            @Known Hero Ah! I completely forgot about game servers, which was daft of me, as one of my friends has an MC one too. Teamspeak - understood (though I dont play any games that need VOIP). Fileshare and backups? Hmmn.. OK, that's me being behind the curve, then, never occurred to me, my backups are on removable media with copies at a friends house :-}

            Raspberry retracted, and thank you!

        2. Mpeler
          Black Helicopters

          Re: pardon my ignorance but..

          Have to wonder if it's only Windoze PCs that are affected, or is TeamViewer only available on that platform?

          (tinfoil hat)

          Having said that, folks are looking at China and Russia as the likely perps. With the EM coming up, and a certain group making certain noises, having burgeoning skills in the malware department, and looking for alternative sources of financing, I'd look a bit southwest of those two countries...

          (/tinfoil hat)

          1. WolfFan Silver badge

            Re: pardon my ignorance but..

            Have to wonder if it's only Windoze PCs that are affected,

            no.

            or is TeamViewer only available on that platform?

            no.

            Having said that, folks are looking at China and Russia as the likely perps. With the EM coming up, and a certain group making certain noises, having burgeoning skills in the malware department, and looking for alternative sources of financing, I'd look a bit southwest of those two countries...

            I'm sure that Australians wouldn't do anything of the sort, they're far too busy dodging assorted venomous and/or fanged creatures. New Zealanders, now...

            Oh. Wait. Southwest, not southeast. I didn't think that the Greeks had the skills.

    3. Mpeler
      Pint

      Re: pardon my ignorance but..

      What am I missing? ( aside from the tail end of the last century and the first chunk of this'un, I mean :-} )
      Must've been a good night out, eh? Beer O'Clocked :)

      Have another...

  21. Adam JC

    Genuinely Concerning

    After scanning /r/TeamViewer last night it became clear that this wasn't just a simple case of the LinkedIn breach credentials being reused (Although several posts DID admit to being affected by the LinkedIn breach AND reusing credentials).

    The posts that terrified the living daylights out of me, were the ones where people used platforms like LastPass and KeePass/1Password to generate a unique, secure ID for their Teamviewer account.

    Not only this, but they'd disabled the auto-generated password that TeamViewer comes configured with in it's 'vanilla' state AND 2FA was *ENABLED*.

    This.. this suggests there is much more to this story than reusing credentials from a breach. We have a very locked down TeamViewer deployment that we use en-mass for all clients (Over 500 unattended installs) and use ID whitelisting to allow only 3 authorised/licensed TV clients from our office to be able to connect to anyone, yet still noticed several logins on a few machines. For now, we've revoked automatic unattended access and now requires an approval by the end-user (Servers are obviously RDP anyway). My only thought is either 1) DNS has been hijacked somewhere (Although I checked the NS IP's before/after/during the outage and didn't spot any records having been changed) or 2) Teamviewer account database has been compromised and they've retrieved the records (Or have recently). Our password is a 16-Char auto-generated lastpass and even has a unique e-mail address created solely for the purpose, so there's zero chance of this being leaked from another site! (Admittedly, it's not been changed for about a year or so but it's unique).

    Interested to see how this pans out, as we spend a LOT of money with Teamviewer. I do sincerely hope it's not something serious and is just a co-incidence, however the number of posts on /r/teamviewer isn't exactly instilling faith in me right now...

    1. Anonymous Coward
      Anonymous Coward

      Re: Genuinely Concerning

      2FA is based on a credential; if you breach the password, you'll have breached the serverside 2FA token secret too.

      2FA does not do what you think it does - it's 30-year old rubbish that was never designed to work on real-time networks

      1. Anonymous Coward
        Anonymous Coward

        Re: Genuinely Concerning

        2FA does not do what you think it does - it's 30-year old rubbish that was never designed to work on real-time networks

        Explain!

      2. Adam JC

        Re: Genuinely Concerning

        I'd prefer OTP or proper 2FA like my LastPass account uses.

  22. Adam JC

    I also note that this morning, Teamviewer's website has a CAPCHA on the account login page. I'm pretty sure this wasn't there yesterday... anyone care to confirm?

    1. Anonymous Coward
      Anonymous Coward

      ... puts hand up ...

      I remember the first time I saw it around two months ago give or take. Probably been there longer though as I don't normally visit the URL, that was just the first time I saw it.

  23. naive

    No surprise, it had to happen one day

    This should be no surprise. The product is closed source, so no code reviews. When installed it starts a background process TeamViewer 11(32 bit). Better change the startup type to manual, and start when needed/

    Except from this, teamviewer uses servers to manage the traffic. Plenty of attack surface for anyone creative.

    The world should really move on to OpenSource for this kind of stuff, in the end many eyes see more.

    1. Anonymous Coward
      Anonymous Coward

      @naive

      I agree about the open source comment (see my comment further below) but your argumentation is flawed nonetheless:

      "The world should really move on to OpenSource for this kind of stuff, in the end many eyes see more."

      Actually they don't, not per definition. Think about the Debian OpenSSL disaster; the package maintainer had altered the source code. Not just that; he had altered the very engine of OpenSSL itself. Yet it took the Debian community approx. 3 years before the problem was discovered and fixed. Causing a major uproar because all keys and certificates which were created with this OpenSSL version were vulnerable.

      Never underestimate how easy it is to overlook the obvious.

      Still, I do agree with you but for different reasons. Open source usually has no commercial interests attached to their products. If they screw up then that's that: they screwed up and will admit to that. An example can be seen above. Yet you never know with companies such as these. Because they also got a reputation to keep in mind and will also want to secure their revenue. Trust me: their revenue has a much higher priority than doing the right thing in admitting that they've been breached.

    2. Mpeler
      FAIL

      Re: No surprise, it had to happen one day

      The product is closed source, so no code reviews.

      What an idiotic, bigoted comment. I've worked at a number of the largest computer companies in the world, writing database, OS, and compiler code, and the code reviews would make you blanch. If you could even get through the interview process to get in in the first place.

      Assuming open source is intrinsically better is just as foolish as assuming "the nanny state" is always (or even) on our side.

  24. Anonymous Coward
    Anonymous Coward

    Uninstalled last month - TV crashing outlook guess I'm safe

    Outlook was randomly crashing... after a long session of elimination TV was the problem. Uninstalled the junk and saved me from this gaff.

    TVs response, it is a known issue but they failed to let anyone know. They hope I'll remove the plugin and reinstall.

    Well now.... never!

    1. Adam JC

      Re: Uninstalled last month - TV crashing outlook guess I'm safe

      Well known issue with the Outlook teamviewer meeting add-in. I've always removed this anyway as it's not for my target clientele :-)

  25. jonharrell

    Uninstalled last month - TV crashing outlook guess I'm safe

    Outlook was randomly crashing... after a long session of elimination TV was the problem. Uninstalled the junk and saved me from this gaff.

    TVs response, it is a known issue but they failed to let anyone know. They hope I'll remove the plugin and reinstall.

    Well now.... never!

    1. Anonymous Coward
      Anonymous Coward

      Re: Uninstalled last month - TV crashing outlook guess I'm safe

      "They hope I'll [remove the plugin and] reinstall."

      Isn't that just standard corporate IT helpdesk response number 2 (after "have you tried switching it off and on again?")?

      I have vague recollection of the days when commercially provided software used to actually mostly work. Even the free stuff from the vendor usergroups. And the idea of a vendor suggesting re-installing to actually fix a problem (rather than to simply fob off the end user in the hope they'll go away) would have been laughable. But we've had two decades or more of "progress" since then.

  26. imanidiot Silver badge

    This is why

    You don't keep banking and payment sites logged in or store the password on the machine.

    1. Adam JC

      Re: This is why

      I do store them, but I use LastPass and in conjunction with TPM/fingerprint my Vault logs out after 5 minutes of inactivity. If I'm away for 5 minutes, there's no way they're getting into my vault unless they have my master password, fingerprint and/or they can bypass TPM

  27. clanger9
    FAIL

    It's not the accounts that got hacked, it's the client

    The TeamViewer service accounts seem to be OK: 2FA, no evidence of a hack anywhere.

    What seems to be happening is that miscreants have found a way to connect to TeamViewer clients, somehow bypassing the authentication. This has happened to a guy at work last week: TeamViewer account fully secure, unique password, 2FA, etc. While using his laptop, someone connected via TeamViewer and started clicking around. Fortunately, it wasn't a serious hack attempt, seemed more like a skiddie.

    TeamViewer now uninstalled everywhere here until we find out more. The software client is broken somehow.

    Pure speculation on my part, but that's my take on it.

    1. Paul Woodhouse

      Re: It's not the accounts that got hacked, it's the client

      this is puzzling me a bit as well, it seems many many many people have been hit by this... and a lot of the reports do seem to be as if they were getting hit by skiddies/justmessing/havinalark, the ways and means of how to do it should be plastered all over the onion network at least....

      1. Anonymous Coward
        Anonymous Coward

        Re: It's not the accounts that got hacked, it's the client

        But that would mean the Internet can connect to the TeamViewer process on the local machine?

        Is the packetfilter unconfigured?

        1. clanger9

          Re: It's not the accounts that got hacked, it's the client

          Maybe, maybe not. My guess is that it's not unrelated to recent attacks on their DNS. Something possibly involving hijacking responses/chatter between the client and the TeamViewer account servers.

          Without knowing how TeamViewer authentication works, it's hard to be sure...

  28. thondwe

    Hmm - is there something else going on?

    SO a brief trawl of Twitter searching for Teamviewer revealed a surprising number of lovely ladies advertising #teamviewer sessions. Am guessing they take PayPal payments to? Do gamers or others do something similar for some reason???

    Is the hacker "backdoor" via this route??

    Just a thought...

  29. Wayland

    Man in the Middle attack

    Hit the DNS servers and provide your own IP. Then sniff the logins as you forward the requests to TeamViewer servers. Or maybe even run your own TV server. In which case TeamViewers servers are not hacked.

  30. JJKing

    How do you say, "Liar, liar, pants are on fire" in German?

    1. Destroy All Monsters Silver badge

      "Du hasst mich gefragt und ich hab nichts gesagt!"

  31. Anonymous Coward
    Anonymous Coward

    This is why I prefer open source (VNC)

    No, I'm not your average fanboy who is now going to whine (without bread) how perfect the whole thing is.

    The culprit is commercial interests. Of course TV wouldn't admit if they've been hacked; it would be bad publicity which could cost them money. So... And this isn't something reserved for TV, its the same with most commercial software (companies) out there. As such: when it comes to issues as these I'll take OSS any time.

    I have to be honest: I'm biased because I dislike the TV usage policy. Its free for non-commercial use but companies have to pay dearly. So what happens? Customers could more or less "force" you into using TV because that's what they like, some may even not understand why you refuse because they overlook the fact that TV is not free.

    And there's more. VNC isn't depending on anything but the users own knowledge. I don't need a remote (3rd party) server which needs to have access. Granted: using VNC can be more difficult because you'll need IP addresses and such, but there is a way to overcome all that: the listening viewer.

    My customers have VNC server installed (not active all the time) and it's even shielded by their firewall. When I need to connect to them I ask them to "attach listening viewer", iow: connect their server to my client. Sure, it's harder to set up (I needed to add DNS names and such) but also more secure.

  32. spegru

    I could be wrong but

    It's striking me that even if TV has been hacked tehn if you always leave your PC locked (as it does in Windows or Mint if you leave it alone for say 10mins) then a hacker still has to get past that password (if you have one)

    Or is that very naive?

    1. clanger9

      Re: I could be wrong but

      Probably naive.

      I understand TeamViewer has the ability to start (privileged?) executables remotely. A number of the posts on Reddit report the upload and running of "webbrowserpassview.exe" (for example) that dumps saved passwords from Chrome.

      You can still do harm with TeamViewer without gaining control of the desktop...

      1. spegru

        Re: I could be wrong but

        No sign of any of that on TV11 and anyway it wasn't installed with root privilege on the Mint machine.

        Not 100% sure on the Win7 machine.....

        Anyway basically if this hack really has happened it might be equivalent to leaving a PC open in a coffee shop - except that there is no actual physical access

  33. psychonaut

    secure teamviewer

    enable 2fa on the web login.

    then create a policy in teamviewer. add "whitlist/blacklist" then add your machine as the only one in the whitelist. apply policy to all pc's in your account.

    this denies access to anyone except your machine that you remote IN from.

    might not help if theres a man in the middle though...i dont know enough about that, but thats what ive done today.

    you definately cant do this in v9 but in v11 you can. dont know about v10

    1. psychonaut

      Re: secure teamviewer

      thumb down...care to explain?

      1. Steven Raith

        Re: secure teamviewer

        There have been reports of people with whitelisting and 2FA having issues as well; I think the current working/speculative theory is not that the authentication methods have been cracked etc, but that they are being wholesale bypassed.

        If you can bypass the requirement for 2FA/whitelist etc, then having those set up won't help.

        Unless anyone else has any brighter ideas?

        I've not used TV for a good few years, and never used it at home, so I've got no dog in this fight, as it were, but I'm all ears for theories, arf.

        Steven R

        1. psychonaut

          Re: secure teamviewer

          its all speculation at the moment. i think maybe the 2fa accounts being hijacked is not true, but who knows.

          tv rate limits guessing the password within about 5 attempts if you try to say randomly connect to a random tv ID. so i dont think its a brute force.

          if their dns was compromised then all bets are off i suppose, but noone knows. it seems unlikely. but what do i know about that...

          if they can circumvent the security in the tv client then also all bets are off.

          im not trying to defend whats going on, just want to know the truth.

          but if you havent secured it like i said, then what i said can only help....unless you just uninstall. but then you would just uninstall

  34. SteveG

    New Contact Request

    Been getting quite a few emails lately from (apparently) service@teamviewer.com where someone I've never heard of wants to add me as a new contact. I suspect this has probably got something to do with all this.

  35. Cynic_999

    I still use TV

    I find it very useful for a number of reasons and it runs 24/7 on an unattended PC at home. But it's a PC that has no sensitive information, and I have also set the PC it to log off after an inactivity timeout of a couple of minutes, so if a rogue user gained remote access they would just get the login screen and would have to know the PC login password before they could do anything.

  36. Anonymous Coward
    Anonymous Coward

    It would greatly help...

    ...to read more about the state the vulnerable/affected machines were in.

    -- Already running a TV session? (probably not)

    -- Client process always running to be ready to accept remote connection at any time?

    -- Client machine remotely rebooted via TV?

    and so on.

    TV sessions as I know them require exchange (via separate channel, e.g. phone) first of a long ID number and then of a "password" (four digits) generated ad hoc by TV. Is that what is referred to as the two-factor authentication?

    And where do TV accounts come into it? I never need to log in explicitly to any account to establish a connection.

    Questions, questions....

  37. TechJohn

    Nope, Teamviewer is the tool, not the source

    Sorry folks, but people are confusing things and being really quick to point the finger...

    a Windows Trojan disguised as an Adobe Flash update that's doing the rounds using TeamViewer to backdoor machines.

    That's the point of entry, not TeamViewer. These people have been infected with a trojan. Teamviewer is a prolific tool, and once a computer is infected then they simply acquire the ID and PASSWORD from the local software... AND AWAAAAY WE GO!

    Again, to repeat, you people have been infected with a trojan, it's not teamviewer at fault here!

    1. Phil Koenig

      Re: Nope, Teamviewer is the tool, not the source

      I'm inclined to agree with this.

      TeamViewer is a VERY widely used app, there are all sorts of ways it could be falsely implicated, including this KNOWN issue where some miscreants are bundling it with a trojan and then using it to further exploit the already-trojaned system.

      http://www.teamviewer.com/en/company/press/statement-on-the-appearance-of-the-windows-trojan-backdoor-teamviewer-49/

      TeamViewer has done the world a great service by allowing millions of people to use this excellent product for free for years now. But as with any widely-used free product that does things online, miscreants often exploit those tools for their own sleazy purposes.

      SMDH that some people here immediately assume that TV is at fault with no actual specific evidence, and then talk about the "superiority" of tools like VNC which, for many years, had the worst security in the world. (eg, NO encryption whatsoever unless you created your own encryption tunnel to pass its traffic through, and most people never bothered)

      Data breaches have become so ridiculously common lately that the likelihood of someone NOT having had their data compromised in one of them is getting smaller and smaller. The entire voting population of Mexico was one such recent example.

      1. Anonymous Coward
        Anonymous Coward

        Re: Nope, Teamviewer is the tool, not the source

        "The entire voting population of Mexico".

        Yes. And they all voted for Obama...

        1. Anonymous Coward
          Anonymous Coward

          Re: Nope, Teamviewer is the tool, not the source

          Does if the voting machines run TeamViewer! That's what it takes to get Hillary elected anyway.

    2. Phil Koenig

      Re: Nope, Teamviewer is the tool, not the source

      I just read about what the "teamviewer trojan" is - seems that they were not just bundling Teamviewer with the malware, they seem to have exploited its functionality in a certain way to facilitate their hack:

      http://vms.drweb-av.de/virus/?_is=1&i=8161714

      Including hiding any obvious presence of Teamviewer on PCs so compromised machines are less obvious.

      Perhaps its time for Teamviewer to add countermeasures to their code to make it harder to hijack it in this way.

      1. spegru

        Re: Nope, Teamviewer is the tool, not the source

        so what we are now hearing is that teamviewer can be used by this exploit - even if you don't have teamviewer installed!

        Argh we're all going to die! - or something....

    3. JZMatrix

      Re: Nope, Teamviewer is the tool, not the source

      I was one of the 'lucky' folks to wake up Friday (05/27) only to find my inbox filled with various online orders placed mere hours before, in fact they were logging out of my computer moments before I walked in to my home office. No trojans were installed on my machines, it appears as though they either had the legit credentials for my TV account, or acquired them through whatever means (I hate to imply inside job, but..., especially with people stating 2FA configured but still breached). That particular night was a one off where my workstation wasn't locked for the evening, which was my downfall.

      The 'hackers' used 2 China-based IPs to connect (based on TV's logs), though I have suspicions those are proxy addresses and may have been US based, or affiliated with people physically in the US as well.

      Reviewing the tracks they took, they were very direct and went right for what they wanted. eBay (using their own account is seems), PayPal (sent themselves money from both of mine to a qq.com email address), Amazon (to order non-tangible/non-traceable items), same with Target and Walmart. Once they finished their rounds, they logged off, probably either reviewing their take, or trying the next system(s) on their list.

      My systems are behind a separate firewall, so they didn't directly access the machine and went in through the TV system itself. Once they were in the account they tried each machine on my account until they found unlocked systems (there were 2 this evening) and went through roughly the same play book on both.

    4. clanger9

      Re: Nope, Teamviewer is the tool, not the source

      "a Windows Trojan disguised as an Adobe Flash update that's doing the rounds using TeamViewer to backdoor machines."

      Hmm, you got any evidence for that? While you can never be 100% sure when people claim not to have installed a rogue Flash update, the fact that one of the first actions for some of the TV attacks is to dump the Chrome password list suggests (to me) that they don't already have the user's passwords.

      Why would they dump the password list via TeamViewer (not the most subtle approach) if the machine is already compromised by a Flash trojan?

    5. Paul Woodhouse

      Re: Nope, Teamviewer is the tool, not the source

      I've seen reports of linux machines getting attacked straight after a windows one, that kinda rules out a trojan...

  38. Aniya
    Mushroom

    TeamViewer really are the black blood of the earth.

    https://www.reddit.com/r/technology/comments/4m7ay6/teamviewer_has_been_hacked_they_are_denying/

    https://www.reddit.com/r/teamviewer/comments/4m7j4a/i_covered_one_of_the_teamviewer_news_articles_i/

  39. MtK
    Pirate

    Teamviewer does tend to stop your screen locking after X minutes of activity. We've found this at work when enforcing screen locking via group policy.

    Also, peeps haven't noted that some instances of Teamviewer Quick Support have a default insecure password. This is when the user just sees 4 stars/dots instead of a random password.

  40. Nifty Silver badge

    TV Connection Report not free = A designed-in vulnerability

    If TV were interested in collecting more evidence, they'd make the Connection Report free instead of a paid option. A very large user base is unable to check IF there have been access attempts using their accounts.

    Based on JZMatrix's solid report above, looks like one should disable TV until proper hardening is known about.

    1. Anonymous Coward
      Anonymous Coward

      Re: TV Connection Report not free = A designed-in vulnerability

      It's all about Trust.

      Again.

  41. A Motivated Mama

    I'm leaving this message everywhere I can.. I was taken for 3k in my PayPal account.

    Hey guys! Just got off with my tech guy who removed TeamViewer from my system. The people that have gotten on to your computer have not only taken your money-- they've also installed malware that does all the work for them. My tech guy ALSO looked through the files of who was on my computer-- yes.. someone came in THROUGH TEAMVIEWER and did all of this. There were 2 different entries of people I had never heard of.

    All of your emails will now be in your trash and they are forwarding them to a dummy account so that you don't see any of the activity going on as they drain you dry.

    Also!! PayPal WILL return your money so long as you provide an invoice from a professional service that you wiped TeamViewer clean from your computer. That is the only way they will return it to you.

    SHAME ON THEM for lying to all of these people who lost their hard earned money!! Take responsibility for your actions instead of pretending you can sweep this under the rug!!

    1. Anonymous Coward
      Anonymous Coward

      Let me translate this: My understanding of computers goes as far as being able to open mail attachments and download stuff from who-knows-where, but I'm absolutely certain what went wrong is Teamviewer's fault. Now I go and spread crap wherever I can because I know I'm right.

  42. Anonymous Coward
    Anonymous Coward

    Got Hacked?

    If you had been breached, make sure to remember to turn your internet off when you go to bed. Do not allow the breachers to connect to your device while you're asleep.

    If you see a hack in progress, immediately disconnect your internet from your device, stop them in their tracks.

    Remember, they connect through internet, so disconnecting yourself, gives you time to uninstall, before they attempt their next move.

    1. Nifty Silver badge

      Re: Got Hacked?

      Okey dokey. Just uninstalled my Internet. Job's a good 'un.

  43. clanger9
    WTF?

    Possible attack vector?

    Just joining together a few threads:

    - Apparently you can connect to TeamViewer clients by IP address. It's not restricted to the registered account (by default)

    - Apparently TeamViewer sets a less-than-random 4-digit one-time use password for remote access (by default)

    I did not know either of these things. It seems you have to go into the settings to remove the OTUP if you don't want it and enable whitelisting to prevent connections by IP address.

    So, if you can somehow get a list of IPs using TeamViewer (using a DNS DDOS, perchance?) and you've semi-cracked the "random" OTUP generator, then you're in.

    Does this sound feasible? I'm unconvinced that this is a simple password re-use problem, despite what TeamViewer are claiming.

    1. psychonaut

      Re: Possible attack vector?

      it depends. i have a business account, and the module i made for my customers to download has the random password set to be 10 digits i think, plus a bunch of other stuff..

      ive never thought of trying to connect via ip address....i dont know how you would do this and im not sure if its true. i guess it has to use a port, but it works without any kind of firewall config, so how could that be doable if you are behind a firewall with NAT (which everyone is these days)?

      i think you might mean via the teamviewer ID.

      you can certainly connect to ANY teamviewr client via the teamviewer id and either the random password or a preset "personal" password. there has also been a new kind of access called "grant easy access" in my upgrade to TV11. i asked tv about this previously, and it seemed that you can connect without using either personal password or random password.i havent enabled it because i didnt like the sound of it.

      you can prevent anyone else or specific teamviewer id's from connecting to your teamviewer id (if you have a TV account) by use of a white / blacklist of teamviewer ID or account email address

      my customers have it set so that only my teamviewer ID can remote their machines, if you try form another TV id it refuses. (i have tested this)

      however, if someone has managed to spoof the dns of the tv servers (im kinda making this up now as you can tell, but ....big ddos, take their dns offline, pop up your own server advertising itself as teamviewer, tv clients connect to this server instead of real one) and who knows what could happen. someone more qualified than me should answer this)

      i know one thing, i have a link to my module hosted on tv's site so that customers can download it. it was unavailable (404 error) on wed / thu . this could simply be beacuse they were being ddos'd and the 2 customers who tried to download it couldnt get through, but it might also be because it didnt exist on the nefarious server.

      thoughts?

      1. clanger9

        Re: Possible attack vector?

        I has a quick check with a clean install of the TeamViewer client. There is no need to set up a TeamViewer account. First of all, it asks if you want to set an "unattended access" password. Hmm: I wonder if some people set this on first install with a memorable (possibly re-used) password and then forgot about it? This is clearly a different password to the TeamViewer account password (which is what you use to log in to the service if you set an account. It has 2FA etc).

        Next screen implies remote control is now possible with a 9-digit ID (presumably set by the TeamViewer servers) and a 4-digit PIN (presumably randomly set by the client). A quick look with Wireshark shows it opens an SSL connection to integratedchat.teamviewer.com every 5 minutes - presumably to announce its presence to the TeamViewer servers. It defaults to allowing "Full Access".

        Nothing looks obviously insecure, but that "set unattended access password on install" combined with "default allow full access with 4 digit PIN" suggests that there are a couple of ways a default installation might be compromised.

        I agree with psychonaut that you seem to need the 9-digit ID to connect (rather than just an IP address as I said earlier). Perhaps someone found a way to get that ID from the TeamViewer servers? Or maybe you can just try random IDs with a brute-force on the PIN until you get lucky?

        1. psychonaut

          Re: Possible attack vector?

          but getting the id for a teamviewer client wouldnt give you any other info if you dont have an account, it would just be a number.

          they obviously must have some ddns going on that relates tv id with the clients ip address, which updates periodically.

          lets say you crack that, and know tv id and ip address. but if you got the ip address of a machine, it wouldnt tell you what email address that ip address was associated with (and even less so because nealry all consumer broadband is on wan dhcp anyway) , so a previously leaked set of credentials from linked in wouldnt help either.

          as you said, they could just be trying a brute force on tv id against 4 digit passcodes. then you wouldnt need to crack anything, just use a teamviewer client and just keep trying tv id against a 4 digit passcode.

          tv rate limits passwords guesses though, but i suspect with 1 billion (or 1 million? i cant remember) active tv id's you will get lucky if you keep trying.

          however, if you

          1) have a tv account

          2)dont have 2fa enabled

          3) you have reused a password / email combo from a cracked alternate source

          4) you have easy access turned on

          then they can get in.

          1. psychonaut

            Re: Possible attack vector?

            ive just discovered something else.

            if you have a TV business account and you have your tv app logged in on your machine, you can click "open management console" on the app and it logs into the web management console without asking for further authentication.

            in order to have this happen, you still have to pass authentication to be logged in on the app though. (and it does the 2fa on the app as well) however, the web management console enables you to be able to do all sorts of things that you cant do from the app.

            an attacker would have to compromise your machine and youd have to have tv app logged in in order for this to happen though.

    2. Paul Woodhouse

      Re: Possible attack vector?

      and seen people saying that computers on their network have been attacked one after the other, I'm assuming that those computers are all sitting on the same NAT'd subnet , so this kind of rules out them getting hit by IP address.

  44. Anonymous Coward
    Anonymous Coward

    Back to CASCOPE?

    99% sure Teamviewer had been backdoored at the request of Bundesnachrichtendienst and the mechanism has become known.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like