
TeamViewer users are being hacked in bulk, and we still don’t know how - edward
http://arstechnica.co.uk/security/2016/06/teamviewer-users-hacked-but-how/
======
barking
Maybe I have 2 factor authentication set up wrong or am missing something but
here is what I have just noticed.

I ran teamviewer on 2 computers.

The teamviewer windows appear.

On neither instance do I log into my teamviewer account, so I don't enter my
account password and therefore I don't enter a 2FA code from my phone.

However I can still open a session from one computer to the other using either
the random password or the stored computer-specific password.

So how exactly does 2FA increase my protection from the alleged scam?

~~~
Sacho
The 2FA authentication is only useful if you whitelist your account. The
default settings, just as you mentioned, allow anyone to access your computer
should they somehow guess the random password.

My guess is that the hackers have found a way to acquire these random
passwords, or are simply brute forcing them on a massive scale and we're
seeing reports of the minority of successes.

~~~
barking
Thanks I get it now. It would be interesting to know if the chap who reported
being connected to, with 2FA on, had restricted access via the whitelist or
had left it the way mine was. I suspect the latter.

However I am so paranoid at the moment that I have decided to exit teamviewer
completely between uses until this all blows over.

EDIT: In the comments below the linked article is the best explanation yet in
my opinion:

>They sign into the website/client with the compromised credentials, and get a
list of what computers are online and waiting for connections from that
account.

[http://arstechnica.com/security/2016/06/teamviewer-users-
are...](http://arstechnica.com/security/2016/06/teamviewer-users-are-being-
hacked-in-bulk-and-we-still-dont-know-
how/?comments=1&post=31311071&mode=quote)

------
brandon272
I don't know what to make of this. Is TeamViewer looking into this? They seem
to have immediately dismissed this as people with weak passwords without any
indication that any kind of investigation was performed. Is this because they
feel they are unhackable so these incidents are not worthy of investigation?
Are they looking into it?

The fact that all of these questions are up in the air means that I really
have no choice but to quit using the product. I don't do a lot of remote
support with other people but do need to access different computers of my own
(that are in different locations) at certain times. Before TeamViewer I would
use Hamachi + VNC which worked fine with the exception that Hamachi always
goes into "relay mode" when I am not on a very good connection, which was
always a joy to find out when I was on vacation and was unable to access
anything because all of the nodes were connected in "relay mode".

Someone else here mentioned ZeroTier as an hamachi alternative, so I think I
will give that a try. A longer term goal is to link the machines together
using OpenVPN, which I am not currently an expert in.

------
brudgers
Initial Hacker News discussion, mainly for the top comment:
[https://news.ycombinator.com/item?id=11826431](https://news.ycombinator.com/item?id=11826431)

I am not an expert. The top comment helped me assess the risk.

~~~
puddintane
Of course but if I've learned anything from camping is to always prepare for
the worst weather possible. Very smart to treat this as TV getting hacked
versus simple password re-use due to the nature of money being taken from
victims.

This is also why I'm glad I've never used the accounts for TV and have always
resorted to the number generating system (if of course the breach is related
directly to the accounts)

~~~
voltagex_
Make sure you have the number generation on the more secure option. I'm still
using the accounts but only my machines are whitelisted to connect to each
other, plus I turned on 2FA. The next step may be to turn it on to LAN-only
mode and get my VPN working properly.

------
pmontra
The Teamviewer account is required to access another computer without someone
being there [1]. When you're helping a friend or demoing to a customer,
they're there to start their teamviewer and give you the access code. There is
no need for accounts if those are all your use cases and there is no risk to
be attacked without an account, is that correct?

[1] [https://www.teamviewer.com/en/help/410-what-is-a-
teamviewer-...](https://www.teamviewer.com/en/help/410-what-is-a-teamviewer-
account-and-how-do-i-sign-up-for-one)

~~~
arve0
The access code is probably generated server-side and can be snooped.

~~~
puddintane
If you read the article they tell you the most likely situation is the fact
that millions of passwords are leaked everyday attached to emails in various
data breaches.

This breach could also be data leaked from TeamViewer but as of right now
there has been no official word as far as I can see. Considering users like to
use the same username and password a bot could easily run through a leaked
list and report any successful logins back to an attacker (an older exploit).

As far as I can tell the random numbers being generated are not affected but
users who have actual accounts are being affected. There has been no official
word but the number generating system being exploited over the accounts being
exploited seems far less likely. Only time will tell thought so hopefully we
will get an official word soon!

 _edit_ Seeing a lot of different theories in the comments and honestly I'm
not sure which one makes the best sense. I really do hope TV makes a comment
soon about how it's happening but we probably won't see that announcement
until they release the fixes which are supposedly later this year.

------
curiousgal
They did report DNS issues, it could be that someone hijacked their domain/DNS
and set up a fake authentication server. From there the possibilities are
endless. [0] jumps to mind

0.[https://github.com/AlessandroZ/LaZagne](https://github.com/AlessandroZ/LaZagne)

~~~
ryanlol
They reported a DDoS attack on their DNS servers, I'm not sure how you draw a
connection between that and a DNS hijack.

Especially considering such hijack would've in all likelihood been logged.

~~~
curiousgal
I didn't say it happened, I said it could have happened. It's just a
hypothesis since the article said the origin of the hacks is unknown.

~~~
cmdrfred
I have heard reports of the DNS server responding with a Chinese IP address.

~~~
voltagex_
I'm pretty sure they've had a Hong Kong endpoint in the past

------
puddintane
Reading more into this I really do wonder if this is related to other
companies being hacked. If you look at this Reddit thread
[https://www.reddit.com/r/teamviewer/comments/4m6omd/teamview...](https://www.reddit.com/r/teamviewer/comments/4m6omd/teamviewer_breach_masterthread_please_post_your/)

search "Do you have a TV Account" I have yet to find an answer from someone
that said No (meaning they use the numbering system- only yes, used to and
"free" which still is a login). A lot of answers to include that they use the
same password for the same email for various accounts. A few that don't but
those numbers are very small and more than likely that user was compromised
another way.

 _edit_ Of course this is speculation and as mentioned in the original post of
this article we should assume this was TV being hacked versus just a simple
re-used password

------
rando289
"we still don't know how." No one is stating the obvious: we would know more
if we had the source code.

~~~
dubbel
We would know more, but we wouldn't necessarily have an answer.

Reading the source code we cannot be sure that some vulnerable software was
not updated quickly enough on some production system of theirs, or say
anything about DNS poising etc.

------
jsmeaton
Happened to my friend about 3 weeks ago and he's a fairy savvy computer user.
Had 5k extracted from PayPal which has just been recovered. All my friends
have now uninstalled team viewer if they had it installed.

~~~
puddintane
Did you friend use the login system or the auto-number login generator?

~~~
jsmeaton
He said login. TeamViewer was always logged in and running in the background.

------
Ace17
It might be related to the fact that too many TV users usually send their
id+password in one single clear-text email.

~~~
barking
Very good point. I've seen that.

Or a piece of malware that checks if teamviewer is running (or maybe even
opens it), reads the id and password from the window and sends those home

------
jbverschoor
Disabled my teamviewer. Relying on zerotier + remote desktop

~~~
brbsix
I was going to suggest the same thing. ZeroTier has been an absolute dream in
eliminating the necessity for traditional gatekeeper services like TeamViewer
or Hamachi.

------
LarryMade2
Whenever I install Teamviwer I don't install it as a startup service - If I
have to remote into someones' computer, I want them to initiate the connection
process so they know what's going on.

------
pronoiac
Ugh! I use Team Viewer to take care of family computers. Is there a good
alternative on Macs behind NAT?

~~~
0x0
iMessage (via Messages.app) has remote control/screensharing built-in :)

~~~
emdd
And, unfortunately, like other Apple services (like Back to my Mac), it
suffers from access to computers behind routers.

~~~
RKearney
Computers behind routers? So... all internet connected computers then?

I use Back to my Mac from work all the time and I have no problem accessing my
iMac at home from my MacBook Pro at work.

~~~
emdd
Actually, yes. I used to be an Apple Genius and whenever we dealt with two
machines on separate LANs, that required NAT, there were so many problems with
traversing the routers. We had to do manual setups with port forwarding or
DMZ. Facetime seems have significantly improved with this (but was awful when
it was iChat w/ Group Video chats), but Back to My Mac is still very
problematic-- you can see this issue also by trying to Screen Share over
iMessage to other people. In my experience it only has about a 50% success
rate.

My home setup still doesn't work with Back to My Mac (and hasn't for years).

------
Havoc
Its pretty shocking that its still available for download.

~~~
charlesdm
It's a private equity owned business. They paid around $600m for it. They're
not going to take anything down.

~~~
Havoc
They would if they wanted to preserve its image going forward. I actually need
a remote tool to help my parents & was planning on downloading TV. Guess
not...

------
rossrubacon
teamviewer is constantly connected even when you turn it off connected to
server pretty much a complete tunnel through any firewall. run vnc in server
mode not as a service and map the ports through and use non standard ports
none of these tunnel setup logme in type remote desktop desktop viewers.

------
unusximmortalis
Is this for real?

~~~
cmdrfred
It seems team viewer is doing the "Deny, Deny, Deny" thing.

~~~
nikanj
Playing the devil's advocate here, but what do you think they should be doing,
in case these are a result of password re-use and similar user errors?

~~~
rossrubacon
Hard to say or prove that changing your password actually protects you. best
method to avoid is to not have it running. Like I mentioned before when you
run something that uses a server to tunnel through your firewalls you have to
feel this server is trusted. i do not trust a server I rather run a desktop
sharing tool like uvnc and control when it is on and off and have no unknown
party tunnel .

In the end when I was asked to install teamviewer (I use Linux BTW) I could
see all thr process even after I turned it off. i would find myself killing
off the 3 or so process that maintained a connection to a server. Heck i get
alot of I am silly and its secure. Now I have not had anything happen to me
and yet to see anyone beyond stories online. Do not take my word for it run a
debugger or trace it wireshark do what you will you will get a suprise. sorta
like when I ran skype in linux and traced what it accessed (scary stuff)

