
TeamViewer stores user passwords in registry, encrypted with hard-coded key - reiichiroh
https://whynotsecurity.com/blog/teamviewer/
======
Someone1234
They're doing nothing too wrong, the person criticising them doesn't
understand basic computer security.

When the user hits "save password" on the client-side, the client needs to
save the actual (plain text) password in order to replay it for future logins.
A hashed password cannot be stored, otherwise that hashed password becomes the
plain text password anyway (essentially destroying any benefit hashing would
have here). The rules that apply to servers/services aren't the same as those
for clients/saved logins.

Using reversible encryption is unavoidable, because they ultimately need plain
text to send to the TeamViewer remote service. It is still marginally better
than storing the actual plain text even if it is security through obscurity
(using a hard-coded key in this case).

Storing it in the user's registry hive instead of a higher privilege allows
the TeamViewer client to run in the user's context, instead of needing to run
as administrator, have a broker, or similar.

One potential upgrade might be to use Windows' Data Protection API. It works
essentially the same way as their current method, but Windows is responsible
for protecting the encryption key (and has a broker than can house it at a
higher privilege level).

But ultimately if you have a process running in the user's context and can
manipulate the TeamViewer client, you can bypass the Data Protection API
pretty trivially (e.g. injected DLL, UI hooks, other misc memory hooks, etc).

So my question would be: Describe the scenario where a bad actor has the
ability to arbitrarily read data within a user's execution context, but not
manipulate the TeamViewer Client also running in that same user's context?
Because I got nothing.

My security advice here is simple: Don't save passwords to your local machine
if you don't want them saved to your local machine. And don't leave backups of
your saved passwords in insecure locations. I'm going to research if I can get
a CVE assigned to that.

~~~
Justsignedup
A smart use of "save password" is where you authenticate and store the login
token locally. You can then log in without a password, but also your session
can be invalidated any time you say... change your password, or ask for a
session to be kicked off.

We have to do this with web apps all the time. Nobody stores passwords in
local browser store.

~~~
Someone1234
I don't know if that applies to TV's circumstances because you can use the
client to connect to endpoints without either end being internet accessible.

TeamViewer does operate account infrastructure like you're describing, but
that isn't exclusively what they offer. They do point-to-point too.

~~~
signal11
Yes, looking at this page it’s possible to disconnect the client from Team
Viewer’s online infrastructure entirely:
[https://community.teamviewer.com/t5/Knowledge-Base/Can-
TeamV...](https://community.teamviewer.com/t5/Knowledge-Base/Can-TeamViewer-
be-used-within-a-local-network-LAN-only/ta-p/4618)

> Hint: If you choose Accept exclusively, TeamViewer will disconnect from the
> internet – that means it will no longer be possible to make or receive
> connections using the TeamViewer ID, and the Computer & Contacts list will
> no longer be available.

------
Lendal
I'm not an expert so I'm just gonna ask the question. How is this different
than what my web browsers do with all the passwords they memorize for me? They
are stored locally, and encrypted, not hashed, with a key that is hard-coded
somewhere. Right?

~~~
sdinsn
No- Chrome actually uses the Windows DPAPI, which encrypts passwords using
your user login credentials. 3rd party password managers use a master password
with a PBKDF.

~~~
arsome
It's still absolutely trivial to dump these though. Especially in the case of
Chrome. iStealer is a classic script kiddie tool designed to exploit this.

------
DuskStar
Why on earth would you store user passwords with AES locally _and then use a
hardcoded key to encrypt them_???

~~~
the8472
$employer has recently been acquired by a big international corp. As part of
the acquisition they have been "auditing" (really checkbox ticking and
superficial API scans) our applications. One of the issues that came up is
that we were using bcrypt as password hashing algo and our new overlords had a
whitelist policy that only included sha2 variants and perhaps ripemd or
something like that. We argued that their whitelist was totally inadequate for
password hashing and pointed to multiple national standards bodies. The people
doing the audit just ignored everything we explained to them and repeatedly
pointed at the policy (which they weren't in charge of themselves).

Several people on my team were opining to just comply because it's the easiest
way to do and they were concerned about their job security if they would go
"against security".

My takeaway from that experience was that the people in charge of corporate
security policies and audits are not experts in security, they are experts in
reshuffling responsibility and covering asses. And many developers are easily
cowed by them.

The result is compliant software, not secure software.

~~~
yread
Compliance is really the biggest source of bullshit jobs. All the paperwork
you need to get certified, the manhours spent reviewing it, all for marginal
benefits.

~~~
zdragnar
Many (most) processes like that started because someone got burned by
something, and the people ultimately responsible said "make a process so it
doesn't happen again".

Often times companies go through this with internal processes as they grow,
and some grow out of that phase.

Other times (especially at even larger companies) processes are adopted "from
the industry". While not necessarily bad, it also requires flexibility from
feedback. In parent's case, auditing to ensure sensitive data is encrypted to
a minimum standard is reasonable , auditing to ensure any encryption is
limited to a very narrow set of algorithms is not.

I worked on a project once that contracted out security audits to HP and those
were distressingly _not_ good security audits, just vague automated checkbox-
checking of a list put together with zero context.

------
zaroth
Storing on the _local machine_.

Versus what they should have been doing - authenticating the password and then
storing a session cookie.

------
deejaybog
Ironically, TV tweeted recently:

"January 28 is Data Privacy Day! TeamViewer is a Data Privacy Day Champion. As
an organization, we understand the importance of being open and honest about
how we collect, use and store your information."

~~~
SlowRobotAhead
>Send email to the Director of Security November 14th, 2019

>Send email to Director of Security notifying them there is now a CVE assigned
to this November 18th, 2019

>Receive first and only email back from vendor “We’re looking into it” email
January 13th

Good one TV.

------
reiichiroh
Twitter thread here:
[https://twitter.com/blurbdust/status/1224212682594770946?s=2...](https://twitter.com/blurbdust/status/1224212682594770946?s=21)

------
F00Fbug
One more reason to flush this turd.

It worked well for me until it started flagging some very non-commercial use
(family IT support) as commercial. I actually tried to use their process to
unflag myself. Gave up and am happy with AnyDesk now. Not sure what they do
with passwords... guess I should check!

~~~
lovetox
Yeah just checked Anydesk, 100 Euros a Year and no online address book really?

------
Y_Y
I'm on the fence about this security practice, but does anyone know a good
FOSS alternative to TeamViewer? As in something that lets me remote into any
of my devices from any other and doesn't require a fixed up?

~~~
wizzwizz4
VNC?

------
SlowRobotAhead
I spent 3 weeks stepping through a program to reverse their blowfish
encryption a long time ago...

So I won’t say he messed up by stepping through code for 6 hours to find the
AES decrypt sequence but the instruction he could have scanned for is a
special CPU instruction now!

aesdec xmm0,xmm1

How many separate routines could they have that directly call AES
instructions?

~~~
duskwuff
Not all AES implementations will use AESNI instructions. Support for those
instructions is relatively new -- many systems in productions still lack them
-- and they're hardly necessary for a non-performance-critical implementation
like this one.

A better signal is the presence of the S-box tables (63 7C 77 7B...). Even
that won't detect applications which use an implementation from a shared
library, though.

~~~
SlowRobotAhead
Yea, that’s how I did a blowfish program, just looked for the big constant
table, but you know there are some clowns out there that “make their own”
s-box :) you know, to “be even more secure”.

------
rishabhd
I am in the middle of a cyber incident response engagement and we identified
compromises basis this. Wrote a quick and dirty code to enumerate it en masse
and do automated connection analysis basis available teamviewer logs. The
results, are actually eyepopping. Good analysis and w00t!

------
gridspy
Perhaps misleading title?

Teamviewer saves remote passwords in registry, encrypted with hard-coded key

The biggest ambiguity here is that the passwords in question are just user-
saved "remote server passwords" and the key takeaway is that remote desktop
software should not be left running.

------
blackearl
I've seen recommendations to move away from Teamviewer for a few years now.
They may have been good and _free_ in the past but not much reason to use them
anymore when the casual user can use chrome remote desktop, and more tech
focused can use splashtop.

------
xupybd
How do you do this if you're storing passwords to send on to another end
point.

Never had to store passwords in anything but a hash. My way is just to get the
user to enter it again and never store passwords.

------
lukeholder
Could anyone tell me if this affects MacOS? not sure if I should rush to
uninstall teamviewer on my home computers?

~~~
mg794613
I guess when you've used those credentials on a windows machine?

------
trollied
There’s an open source teamviewer equivalent that’s free to use if you build
it yourself - looked really slick, but I can’t for the life of me find it now.
Anyone got any ideas what it could have been? (Wasn’t VNC/RDP based). Dammit,
wish I could remember

------
de_watcher
The OS doesn't have something like a keyring or what? It's the same as
registry, but explicitly states the intent.

------
FDSGSG
It's pretty surprising that something this silly gets upvoted so heavily here.

Lack of hashing isn't the problem here, the fact that low privileged users can
access these credentials is.

The author isn't to blame for the silliness though, whoever decided to
editorialise this title for HN is.

~~~
dang
I've taken a crack at rewriting the title. If anyone can suggest a better one
(i.e. more accurate and neutral, preferably using representative language from
the article), we can change it again.

~~~
reiichiroh
Sorry I took the title verbatim from Reddit and wasn’t editorializing. It
seemed blunt without sensationalizing anything to me when I submitted.

------
professorTuring
Kudos to the security expert for the finding but his web page gave eye cancer.

Seriously, consider lowering the contrast or chaging typography... Don't know,
but it was hard to read in its original form...

~~~
UI_at_80x24
IMHO, the website was a wonderful and easy-on-the-eyes experience to read.

I am visually impaired. I need sites to look like this just to consume them.

This was my experience and yours was different. Being able to let the viewer
choose is critical so that everybody can use the web.

------
clSTophEjUdRanu
Seeing shit like this daily is holy demoralizing. Makes me feel like writing
software for a living is a lost cause.

~~~
munk-a
This particular issue reeks of "roll your own" when a lot of out-of-box token
based solutions would just do a better job. The best lesson to learn about
security in software is that if you're doing it and you don't have a PhD
you're doing it wrong.

The benefits of leaning on a third party for common logic should be carefully
reviewed on a case-by-case basis unless that software is related to security,
in which case, please do lean on a third party.

~~~
ghh45654
>The best lesson to learn about security in software is that if you're doing
it and you don't have a PhD you're doing it wrong.

fuck, I need to tell that to all top CTF teams that their members should stop
competing and leave their jobs and focus on PhD

It may be a little bit offensive, but did you even graduate?

~~~
munk-a
Sorry, I was a bit hyperbolic - let me clarify. I didn't mean that educational
experience is a critical portion - more that working in the security field is
a lot more theoretical than most and requires a much higher investment of time
to start to comprehend. People without degrees absolutely can be security
experts, and people with degrees can be utterly clueless - but if you're
working on a webapp and given a week to write a login system then it almost
certainly will be vulnerable.

So it's less specifically required that people have PhDs and more... this
stuff takes time to fully understand, I know a lot of pitfalls on the topic
but I wouldn't say I'm an expert - I just know enough to know that I don't
know.

------
bottled_poe
Yes another sloppy product that reeked of security flaws the first time I used
it. How do these products become so widely accepted within a technically savvy
user group? It doesn’t take a lot of knowledge to see the obvious flaws in how
poorly the desktop sharing is implemented in this software. No wonder it is a
favourite of scammers.

