

TeamViewer authentication protocol - alter8
http://blog.accuvantlabs.com/blog/bthomas/teamviewer-authentication-protocol

======
pilif
When you set up Teamviewer to be running constantly in the background, you are
strongly encouraged by the UI to use a real password.

The 4 digit passwords are used for temporary sessions for giving a remote
party temporary access to the machine.

In the position of the person giving support and thus needing access, I'm
already very happy when I finally get my mother to launch the Teamviewer
application (finding an icon on the desktop can be so hard). I don't need her
to spell out a real password for me and if she was to chose one of her own it
would not be much safer than what Teamviewer generates by default.

Support sessions like that last a maximum of 30 minutes, after which she
closes the application (as encouraged by the UI). I really think that the
short-lived nature of connections with a weak password somewhat mitigates some
of the complaints in the article.

~~~
Osiris
I use TeamViewer on my LAN to be able to hop onto my other Windows boxes
quickly. I prefer it over VNC for a variety of reasons. I use a real password
on each box tied to my TeamViewer account.

I've also used it to help my Dad. He does the same thing, launches the
application to initiate a session and then closes it when he's does. Since
it's only open while he's expecting a connection, I don't see how it could be
much of a security issue.

It is interesting to note, however, that a company who's product is designed
to allow people full access to another computer and promotes security wouldn't
have periodic security audits of their protocol to ensure it's sufficiently
robust.

------
meztez
Don't forget that once you're in, you still have to login into the actual
machine. I'm willing to live with that probability.

------
rcconf
Great article. The only issue I had was that I wanted to look at the code
examples without downloading them.

