TeamViewer rolls out two new protective features
TeamViewer announced yesterday that it has started to roll out two new protective features for the popular remote desktop software.
There has been lots of talk about TeamViewer's recent service outage and the increase in reports on various Internet sites that customer accounts were hacked.
TeamViewer denies that the service itself has been hacked or that the recent service outage has anything to do with the increase in compromised user accounts.
The company suggests that the increase may be related to the recent leak of hundreds of million user account information from MySpace and Tumblr.
TeamViewer new protective features
The company has started to roll out new security measures yesterday to "further strengthen the protection" of user data against "hijacks of cyber criminals".
Trusted Devices
The first new security feature, Trusted Devices, adds a confirmation process to the first time sign in process on devices.
Basically, what happens is that TeamViewer will display an in-app notification that requests approval of the new device by clicking on a link that the company sends to the associated email account of the customer.
The Trusted Devices feature ensures that whenever your existing TeamViewer account attempts to sign in on any given device for the first time, we will ask you to confirm the new device as trusted before signing in.
An in-app notification will ask you to approve the device via a link that we will send to your account email address.
Protecting Data Integrity
The second protective measure monitors accounts for unusual behavior such as connections from a new location to determine whether an account has been compromised.
If TeamViewer comes to the conclusion that an account has been compromised, it will mark reset the account password for protection to block the attacker from using it further.
Instructions on how to reset the password will be send to the associated email account.
The system determines continuously if your TeamViewer account shows unusual behavior (e.g. access from a new location) that might suggest it has been compromised. To safeguard your data integrity, your TeamViewer account will be marked for an enforced password reset.
In this case, you will receive an email from us with instructions to reset your password.
Existing protective measures
TeamViewer supports several security features already that strengthen account security. Many need to be enabled however or set appropriately by the user.
In short, the following is suggested:
- Only run TeamViewer is you are going to use it or need to make it available for someone else.
- Select a secure, unique account password for the service.
- Make sure TeamViewer is up to date.
- Enable two-factor authentication for your TeamViewer account.
- Use TeamViewer's Whitelist system to prevent access from unauthorized devices. To do that select Extras > Options > Security > Black and Whitelist Configure.
So if someone uses TeamViewer over a VPN and forgets to select a local end server, TeamViewer will force a password reset? That’s kind of lame… I much prefer the standard way of handling this kind of situation: tell the user their location is suspect and ask them to enter a code that has been sent to their email address. We’ve already discussed a few days ago on Ghacks how forced password resets can actually reduce security when people become frustrated and impatient.
gabriel, you said “Yeah, but you can still access TV servers without an account, using the ID TV gives you.
Or is this “hacking†incident with TV just with people who actually have accounts? Maybe I’m missing something.”
Reply
If you access over the local lan exclusively, the user id TV gives you is the ip address of the pc on the local lan. All pcs on the network should be local lan exclusively only. For example, if your TV id is 192.168.1.25 then that is your pc local lan ip. Do not sign into TV.
BTW, the 192.168.1.25 address is non-routable. Nobody on earth can get into your network by entering it into their pc except you and only from your local lan. To use it you need to be on the local lan first. One hundred million or more people have a pc on their local network with the same address.
Hi cdr,
I know that 192.168.x.x is a private ip range.
What I’m trying to say is that just because TV doesn’t give you an ID because you choose “lax exclusively”, doesn’t mean that it still can’t be contacted over the internet.
If TV servers have been hacked, you’re telling me I should trust a front end GUI that is telling me that I have no “external ID”… which I still may have… just not showing. And since TV and these computers of mine still have access to the internet, I have reasons to be concerned.
Hehe, nah I’m good.
I don’t have a TV profile and, as you know, I use “lan exclusively” so I believe I’m good.
Thanks cdr.
otherwise, just fear the boogyman. That’s your other choice. Can’t help you there.
Gabriel,
Did you sign in or not? if you didn’t sign in there’s no way tv servers can find you. If you don’t have a TV profile, as I don’t, double that. If you do have a TV profile, delete it. Case closed. Access via local lan exclusively still works great. No TV profile required.
TV allows SPI to provide access if active in background. If TV client is not in contact with TV servers, then SPI will keep TV out, along with everyone else not responding to SPI / NAT. The moral, delete TV profile and / or never sign in to TV. Use local lan exclusively and other means to access local lan remotely. I use OpenVPN.
Gabriel,
You do not need a TV account if you access over local lan exclusively. This is how I do it and I do not maintain a TV account. If no TV server is involved, then you can’t get hacked via a TV server.
I use OpenVPN to get to the local lan remotely. Otherwise I use TV to maintain a media server or transfer files from an upstairs PC to the one in my lap.
Yeah, but you can still access TV servers without an account, using the ID TV gives you.
Or is this “hacking” incident with TV just with people who actually have accounts? Maybe I’m missing something.
@Pants:
“…they still could have possibly/probably been saved if 1. The browsers didn’t auto-login to their banking/paypal accounts…”
Bingo. It’s a big mistake to store passwords in a browser. I’m surprised the more serious browser developers are still pushing this practice.
Anyway, what I find amusing is that TeamViewer rolled out the new security features after just a few days of bad press. Stuff that is this easy to implement probably should have been implemented … you know… YEARS ago. :)
Convenience > Security.
Most companies won’t spend resources on “low priority” features unless they are a) pressured or b) they suddenly become important.
^^ read this : http://arstechnica.com/security/2016/06/teamviewer-says-theres-no-evidence-of-2fa-bypass-in-mass-account-hack/
quote:
“Whenever somebody sets up an account there are several ways they can set up their user credentials and assign devices to that account. If somebody goes ahead and uses the same e-mail and password for that account as they used for any other given Internet account then that makes this account somewhat vulnerable in terms of the credentials”
Yes it is only TV accounts. Also, the 2FA authentication is totally unverified. Also, Martin mentions the data breaches at MySpace and Tumblr. There’s also LinkedIn (and today was 171million at VK or something, not that those would have been around long). The numbers are huge and have been collated from numerous breaches into one lovely, easy to use dump: 640+ million sets of user accounts names/logins/emails with matching passwords. On the deep web, selling cheap as f*kk.
People are stupid and security is hard. Also security is a multi layer thing. Here’s how I see it: Secure the network, check. Secure the OS, check. Secure the browser, check. Secure the passwords (don’t store passwords in your browser or lock them behind a master password, or use LastPass or whatever) and use unique passwords. You see, the end users use TV and it is allowed to get into your network, and its allowed to run on your OS … it totally bypasses a heap of your security by design, because you allowed it to. And even when it was breached, due to their shitty OpSec, they still could have possibly/probably been saved if 1. The browsers didn’t auto-login to their banking/paypal accounts 2. They ran malware/AV etc to detect if perhaps keyloggers etc were added (but no one seems to see this happening in this TV saga, just quick money raids (not that the perp couldn’t disable and uninstall protection etc) 3. Each account has a unique password (if the browser didn’t cache passwords/cookies, but the perpetrator tried the same password etc). Also, side note, these people ran TV 24/7 unattended.
That said, if so many accounts are being accessed, surely TV’s servers would have seen a large number of failed attempts as the perps tried those 640+ million combos. And TV could certainly ramp up the default settings, and some alert system would be good, and a “Login/Access History” button that brings up detailed easy to read reports on date/ip/duration/files transfered/etc.
http://arstechnica.com/security/2016/06/teamviewer-says-theres-no-evidence-of-2fa-bypass-in-mass-account-hack/
TeamViewer also said they were not hacked and their servers crashing has nothing to do with the hacking (but never explained servers crash).
I thought they said that it was DDoS
Hi Martin.
I’m currently using TV within my LAN, so I have setup “incoming connections” to “Lan – Accept exclusively”. From what you may know from this issue, do you think my computers are safe?
Thanks
PS: I have checked the log file as you suggested and everything seems fine, so I’m just asking out of curiousity.
Gabriel: You can’t seriously believe that anyone can analyze your LAN security based on your short comment. Your best bet is to hire a local firm to run tests to see if your system has already been compromised. Follow their advice, as long as the company you deal with has a good reputation.
I never said that, DVDRambo.
My concern is with TV itself and how secure setting it to “Lan only” really is, since these computers are also accessible over the internet.
Trusted Device combined with two factor authentication is about as strong as you can get without certificates. Forced password reset is a little bold but I can see their point and won’t argue with it. The only thing better would be certificates that must be present on remote devices to allow access to the central pc, with the certificate tied to the central pc and not a generic certificate of some kind.
As I mentioned yesterday, I use TV and don’t maintain a TV account. I access the central pc only over the local lan and use OpenVPN and a bridged connection to get to the local lan. OpenVPN is on a pfSense router. It holds individual certificates for each remote pc, user ids attached to individual certificates, and dual passwords. The OpenVPN tap server is only on when needed. The new trusted PC setup gets you a little closer to my way of doing things, but not all the way. To the good, wake on lan works great over a local lan.
I’m not bragging. I’m trying to educate. Anyone who uses remote desktop and does not assume someone will try to get in just by guessing a password or two is dangerously ignorant. To the good, the TV method of password generation adds a lot of security to this process, assuming it’s not bypassed by the user.
I would be too paranoid to use Microsoft Remote Desktop, TV, or any other remote desktop program without security far beyond passwords only. Some advanced Netgear routers allow OpenVPN tap connections, although I’m not sure of the level of security. Certificates are involved, so that helps a lot. They are easier to set up than pfSense. Some other alternate router firmware may also permit a tap (not tun) connection. Tun allows a passthrough so you can browse remotely just as if you are using the internet from home.
“Trusted Device combined with two factor authentication is about as strong as you can get without certificates”
In this case this a joke. TeamViewer hackers were able to bypass two factor authentications and drain bank and PayPal accounts. Being in control of the hacked PCs they will be able to “trust” any device as well.