This week has seen serious hacking allegations swirling around extremely popular remote access tool TeamViewer. The reports, which began at the end of May, have largely pointed the finger at an ongoing man-in-the-middle attack which has exposed TeamViewer users personal accounts.
Amongst the numerous reports of bank accounts and PayPal accounts being emptied or used to make unauthorized purchases, TeamViewer are holding firm, maintaining that any fraudulent or malicious activity is likely the fault of the user. Amid the chaos, TeamViewer have found time to release new features designed to enhance user data protection, and I’m sure the irony is not lost on those counting their absent pennies.
What exactly is going on at TeamViewer? Is it merely coincidence that so many accounts have seemingly been hit concurrently? Have users had their account details compromised in another breach and now find those credentials used against them? Or is something else afoot?
“Protecting your personal data is at the very core of everything we do” — but are they protecting themselves first? Let’s examine what we know.
What Is Going On?
TeamViewer find themselves in the midst of a very angry user base. The barrage relates to a supposed security vulnerability present somewhere in the TeamViewer software which is allowing as-yet unnamed and unknown malefactors to access personal user accounts via a remote session.
The vast majority of users claim their accounts have been hacked. Once access is gained, the hackers move through a list of targets attempting to spend or transfer money. Some commonly accessed accounts include:
Some users have reported losing thousands of dollars, while others have seen numerous eGift cards sent to various locations around the world. Purchases made online usually had gibberish shipping names, being sent to a variety of locations around the globe with a significant number of users reporting attempted logons from Chinese or Taiwanese IP addresses.
Fuel was added to the fire when TeamViewer experienced a service outage. It was caused by a denial-of-service (DoS) attack aimed at disrupting the companies’ DNS (Domain Name System) Servers, but TeamViewer maintain there is “no evidence” linking the attack to the compromised user accounts.
User Account Security
A large number of accounts have been affected, though there is certainly no solid number to report. However, it appears that a majority of affected TeamViewer users were not using two-factor authentication. That said, the alleged attackers appear to have used the correct password to enter the account and instigate a remote session. While the login would have triggered the 2FA process, the remote session logon would not.
Some users were actively using their system, noticed the attempted remote session logon and were able to cancel the request. Others came back to find a completed remote session, while others still only realized when their email accounts were suddenly full of purchase receipts from eBay, Amazon, and PayPal.
Nick Bradley, a practice leader inside IBM’s Threat Research Group detailed his discovery:
“In the middle of my gaming session, I lose control of my mouse and the TeamViewer window pops up in the bottom right corner of my screen. As soon as I realize what is happening, I kill the application. Then it dawns on me: I have other machines running TeamViewer!
I run downstairs where another computer is still up and running. Low and behold, the TeamViewer window shows up. Before I am able to kill it, the attacker opens a browser window and attempts to go to a new web page. As soon as I reach the machine, I revoke control and close the app. I immediately go to the TeamViewer website and change my password while also enabling two-factor authentication.
Lucky for me, those were the only two machines that were still powered on with TeamViewer installed. Also lucky for me is the fact that I was there when it occurred. Had I not been there to thwart the attack, who knows what would have been accomplished. Instead of discussing how I almost got hacked, I’d be talking about the serious implications of my personal data leak.”
The TeamViewer response has been resolute and constant:
“There is no security breach at TeamViewer”
This is the company line, echoed through multiple PR statements released throughout the past few days:
“TeamViewer experienced a service outage on Wednesday, June 1, 2016. The outage was caused by a denial-of-service attack (DoS) aimed at the TeamViewer DNS-Server infrastructure. TeamViewer immediately responded to fix the issue to bring all services back up.
Some online media outlets falsely linked the incident with past claims by users that their accounts have been hacked and theories about would-be security breaches at TeamViewer. We have no evidence that these issues are related.
The truth of the matter is:
- TeamViewer experienced network issues because of the DoS-attack to DNS servers and fixed them.
- There is no security breach at TeamViewer.
- Regardless of the incident, TeamViewer continuously works to ensure the highest possible level of data and user protection.”
Furthermore, TeamViewer have turned the tables on their users, stating that as there was no company breach, it is entirely likely the user details were stolen during one of the other recent large data breaches and used to log in to the TeamViewer accounts.
TeamViewer is pointing to password reuse, which is entirely possible given the recent big breaches https://t.co/I8fnJUMpdb
— Troy Hunt (@troyhunt) June 1, 2016
Trusted Devices and Data Integrity
In the midst of the swirling rumors, TeamViewer announced the launch of their Trusted Devices and Data Integrity programs, “two new security features to further enhance data protection.” I have tried reaching out to TeamViewer to ascertain if these features were pre-planned, or as a direct response to the alleged hack, but as yet have received no response.
Trusted Devices will ensure any attempts to sign onto any given device for the first time will be met with an authorization challenge before access is granted, while Data Integrity will enforce an immediate password reset if an account displays suspicious activity.
Which Brings Us To…
All this has lead to a very strange standoff between TeamViewer users and the company itself.
TeamViewer are all-too aware that something is very amiss:
“Protecting your personal data is at the very core of everything we do.
We highly appreciate the trust you place in us and respect the responsibility we have to ensure your privacy. This is why we always feel a strong need to take all necessary steps to safeguard your data.
As you have probably heard, there have been unprecedented large scale data thefts on popular social media platforms and other web service providers. Unfortunately, credentials stolen in these external breaches have been used to access TeamViewer accounts, as well as other services.
We are appalled by the behaviour of cyber criminals, and are disgusted by their actions towards TeamViewer users. They have taken advantage of common use of the same account information across multiple services to cause damage.”
It is possible the swathe of compromised accounts and fraudulent activity could have all taken place on the back of the recent MySpace data breach. When combined with other large breaches, such as the accounts added to the LinkedIn breach, and the “old” Adobe breach several years ago, there are certainly a significant number of user credentials up for grabs to the highest bidder.
But that explanation doesn’t quite cut the mustard. While a huge number of users were not following best data protection practices by using 2FA and strong, random, single-use passwords, there were also a huge number who were — and their accounts were also compromised. Similarly, a number of users had indeed been potentially compromised through previous data breaches, and found an active remote session, but there were also a high number of users whose details were private.
Checking Your Account
If you’d like to immediately check if your account has been accessed, or access has been attempted by anyone other than yourself, head to the TeamViewer Management Console website. Once you’ve logged into your account head to the top-right corner and click on your username, followed by Edit Profile. Then select Active Logins. This will list every device and location that has access your account within the last year.
You can also check your TeamViewer logs for any unscheduled activity. The logs can be found here:
- C:\Program Files\TeamViewer\TeamViewerXX_Logfile.txt
- C:\Program Files\TeamViewer\TeamViewerXX_Logfile_OLD.txt
Head to your log and give it a read through. Check for any irregular IP addresses. Search the log for “webbrowserpassview.exe” and if you get a positive hit, immediately change all of your passwords.
No, I’m not joking. This application essentially reveals and exports all of your currently saved browser passwords into an easily readable plaintext file. It also sidesteps master passwords set in Chrome and Firefox. This isn’t a super hacking tool. It is openly available, but can be extremely dangerous in the wrong hands.
You should also head over to haveibeenpwned.com to check if any of your accounts have been compromised without your knowledge.
Time to Take TeamViewer Security Seriously
If you have a TeamViewer account, immediately change the password and enable two-factor authentication. If you’re unhappy, simply uninstall TeamViewer until this debacle comes to an end.
Check your eBay, Amazon, PayPal, and Apple Store purchases, and take a good look at your outgoing bank transactions for the past week. If anything is afoot, directly contact the vendor, explain what has happened, and mention TeamViewer. It should help your affairs return to normality. Oh, absolutely read this detailed list of TeamViewer Best Practices by Redditor and TeamViewer user chubbysumo.
This is a difficult situation to gauge. One could understand the viewpoint of TeamViewer. According to them, their servers remain intact. They can still offer their remote access services as normal. A majority of users can still access their accounts, and use the service as is.
But it doesn’t explain away the huge number of seemingly compromised accounts. Neither does it explain how users with strong, uncompromised single-use passwords have had their accounts hacked in the same manner as those with already-pilfered credentials. It also doesn’t explain why some users are still seeing a huge amount of incoming attempts from Chinese and Taiwanese IP addresses.
The entire situation could have been handled significantly better by TeamViewer, too. To immediately rebuke those with obvious issues relating directly to their remote desktop service is slightly unfair, given the weight in numbers making an extremely similar complaint. But once the ball was rolling, and the canned responses began, TeamViewer limited the scope of their future responses, while undermining their own reputation, devaluing their users’ unfortunate experiences.
I am not entirely convinced it can be the fault of users with lackadaisical security skills. However, I’d like to see some more specific evidence pointing to an actual hack, a specific exploit, or some form of malware that has “allowed” this happen before more potentially unfair stigma is heaped upon TeamViewer.
Update: DLL-Sharing Malware Identified
TeamViewer reached out to me directly on Saturday night (June 4th 2016), making an “unreserved apology” for the ongoing issues, as well as for apportioning “blame” upon their users. They understand how some of the language used in their PR statements could have easily upset the user base.
However, they categorically maintain that there is no underlying vulnerability in their service, as well as emphasizing their ongoing use of the Secure Remote Password protocol. Furthermore, TeamViewer confirmed that their new “security features were indeed brought forwards” to provide their users with extra assistance during a time when their platform is certainly being “abused.”
In the time since this article went live on Saturday afternoon, I’ve also been alerted to a piece of malware using TeamViewer as an attack vector. The BackDoor.TeamViewer49 malware is installed via a malicious Adobe Flash update on already breached computers and could provide a potential backdoor for malefactors. To clarify: this is not a breach of TeamViewer, but a Trojan using a shared TeamViewer DLL as a hook to establish itself on a system.
Have you been affected by the issues at TeamViewer? Did you lose anything? Have you contacted TeamViewer? Let us know your experiences below!
Image Credit: mugger reaching for you by agoxa via Shutterstock