Remote access tools for Windows are very popular these days, both with genuine users and with crooks.
Windows Remote Assistance, for example, allows other people to connect to your computer and see what’s on the screen while you’re working in order to help you along:
When you’re having a computer problem, you might want to get help from someone else. You can use Windows Remote Assistance to invite someone to connect to your computer and assist you, even if that person isn’t nearby. Make sure you only ask someone that you trust, because the other person will temporarily have access to your files and personal information.
It’s as though the other person’s screen, keyboard and mouse were plugged in, via enormously long cables, to your computer.
In fact, they might as well be sitting at your desk, in your office, using your computer directly.
Fake technical support scammers – the criminals who call you up at home and lie to you that you have a virus that needs cleaning – love remote access tools.
Ironically, those guys don’t usually use their remote access to steal your data or implant real viruses (although they could, might, and occasionally do), not least because they know you’re watching along while they “support” you.
For them, remote access merely serves to make it look as though they’re actually doing something to justify the substantial fee they’ll charge you when the “problem” has been “fixed.”
But if crooks figure out your password and use it while you aren’t around, remote access software can be a different sort of gold mine.
They could steal your files and sell the data on the underground; raid your PayPal account to buy “gifts”; buy products on Amazon; read your email; post to your social media accounts; feed false information to your business contacts; and much more.
Worse still, they wouldn’t need any Unix-style command line skills or hacking expertise: they could do it all with the keyboard and mouse, just like they would at home.
The TeamViewer brouhaha
In the last couple of weeks, claims have erupted on Reddit saying that a gang of crooks are doing just that.
These unknown crooks, apparently, are making unauthorised connections to users of TeamViewer and ripping them off.
(TeamViewer, based out of Germany, is one of a number of popular remote access services on the market these days.)
In fact, these claims have developed into accusations that the breaches are best explained by a hack at TeamViewer itself that has given the crooks some sort of backdoor into customers’ computers.
TeamViewer isn’t impressed by this explanation, and has reacted with a strongly-worded press release:
[T]he source of the problem, according to our research, is careless use, not a potential security breach on TeamViewer’s side.
TeamViewer’s advice for avoiding “careless use” of its service includes:
- Use a different password for each account.
- Don’t tell other people your passwords.
- Use two factor authentication.
- Use a password manager.
Who’s right?
A recently-created thread on Reddit with the title TeamViewer Breach Masterthread is trying to collect some evidence.
The thread encourages users to report if they think they’ve been hacked recently, and to answer questions including:
- Do you have a TeamViewer Account?
- Was two-factor authentication enabled?
- Is your TeamViewer password the same as any other password?
Of course, the fact that someone had a TeamView account and got hacked says nothing about whether the TeamViewer account had anything to do with the intrusion…
…but the results are interesting nevertheless.
At the time of writing [2016-06-03T23:00Z], just under 80 people had responded.
Of those, 53 said they’d been hacked somehow.
But just one of them had two-factor authentication enabled on TeamViewer, and 37 admitted they’d used their TeamViewer password on other accounts.
As far as we can see, that evidence doesn’t point any fingers at TeamViewer.
What to do?
- Watch our video on How to Pick a Proper Password.
- Turn on two-factor authentication (2FA) if you can.
- Avoid leaving remote access tools in “automatically allow connections” mode.
Most remote access tools, including TeamViewer, can be configured so that they will pop up and ask for your approval before allowing a connection.
That’s a simple and effective way to prevent crooks from wandering in while you aren’t there.
(No video? Watch on YouTube. No audio? Click on the [CC] icon for subtitles.)
Jon
“Of those, 53 said they’d been hacked somehow.
But just one of them had two-factor authentication enabled on TeamViewer, and 37 admitted they’d used their TeamViewer password on other accounts.”
But several were certain they’d set up a unique and difficult password for TeamViewer through KeePass. It’s difficult to see how that could be explained by a breach of another website.
Paul Ducklin
True. I wasn’t suggesting that “password must have been acquired from elsewhere due to re-use” was the one-and-only explanation, just that it was a possible explanation in a significant majority of cases. Admittedly, the prevalence of weak security amongst those who say they were hacked doesn’t prove anything…but it is a worrying concern.
My point is that the Reddit discussion started out with the optimistic title “TeamViewer Breach Masterthread”, as though the culpability of TeamViewer would quickly emerge…
…but that’s not what happened.
I think that on the evidence discussed here, TeamViewer has to be given the benefit of the doubt, not the other way around.
And maybe, just maybe, it’ a bad idea to leave GUI-level remote access enabled to a Windows box that [a] is unattended [b] is unlocked [c] has PayPal accounts that can be accessed via passwords “remembered” by your browser [d] is a cornerstone of your online lifestyle and [e] is accessible with just a static password that is phishable, keyloggable, guessable.
Bryan
Duck: what are your thoughts on a dedicated app for 2fa? I personally strongly prefer an SMS text to an app I need to keep running on my phone (ex: Steam gaming platform, TeamViewer). Not even necessarily about trusting the app as much as trying to keep a minimal footprint on my phone’s ever-growing task list. Am I being paranoid/too OCD?
and finally, I’ve a few complaints to lodge…
[a] I can only upvote once
[b] I can only upvote once
[c] I can only upvote once
[d] I can only upvote once
[e] I can only upvote once
Paul Ducklin
I like SMSes, too, not least because they don’t require a shared cryptographic secret that both you and the service provider have to store (the seed for the sequence of one-time codes). But if you live in an area where mobile phone reception is unreliable, the SMS approach can be a problem.
Bryan
I generally get good reception, so I forget sometimes that can present issues. Do the dedicated apps have any advantage over straight texting? Seems they’d suffer the same issue. Unless you mean those dedicated fobs over anything tied to a mobile phone at all…haven’t seen those in awhile.
Paul
As I uninstalled TeamViewer and deleted my accounts, I did not know if they were the source of the issue.
After reading two articles that reported on the breaches, I checked the TeamViewer website for anything referencing the breaches. Nothing on the main page, the support page or the blog.
I left TeamViewer because they left me in the dark. I have unique passwords everywhere. Had I seen the press release, I would probably have enabled 2FA and beefed up my passwords.
Bryan
To paraphrase Duck’s answer above, this wasn’t likely to be the fault of TeamViewer. I understand your point about wanting a notice of some sort, but they have millions of users and 53 were hacked, with 37 admitting they’d re-used the password.
I envision this having very little to do with actual TeamViewer *accounts* and more to do with each PC’s local access password.
The mark was duped into/by online “support,” who took quick screenshots of TeamViewer’s config with the password showing, then _performed_ support as they nonchalantly gathered information about when the box was likely to be unattended, disguised as casual waiting-for-this-thing-to-load banter: “I work this support job every day after school; do you get to work regular hours, Mister Target?” Come back later, snoop to their hearts’ content.
My TV account has been fine, with 80+ PCs on it.
Ging
I haven’t been hacked and don’t expect to (touch wood), but let me get this straight to see if I’m understanding this correctly. The only people that are getting hacked are people with a TV account (like myself) that paid for the service and use it to ‘support’ others. Or is it people with ‘free’ TV that use it to connect to friends or family etc adhoc when needed?
My scenario is that I have my main computer with TV running. It automatically logs into my account, which I’ve paid for, which I see 3 computers ‘attached’ to my account which I regularly log into from my main computer (there is nobody at those computers so asking for permission is NOT an option). My main computer is NOT listed in ‘my computers’ as I have not setup unattended access for it, just the 3 other computers have unattended access setup so they show on my list.
In this scenario, who is getting hacked? My computer or the 3 listed in ‘my computers’, via my TV account where when the hacker logs in they’re able to see my 3 computers listed under ‘my computers’ so they’re able to hack into those 3 computers?? Therefore my computer is not getting hacked because unattended access is not active on it.
From my understanding, peoples paid TV accounts are getting hacked and if they have computers in ‘my list’, THOSE computers are getting hacked into because they’re setup for unattended access?
Please help me understand because I use TV regularly to support clients and they’re refusing to run TV because of this and I don’t think they’re at risk as they don’t have unattended access active.
Bryan
Ging, my TeamViewer use is similar to yours. Maybe I’m off base, but I interpreted this issue to be more along the lines of someone being duped by fake “I’m calling you from Windows” charlatans who suggested TeamViewer as a remote assist aid. The ones raising a public stink seemed to hope they’d speedily and collectively blame TV as a company.
For every admin using a paid account there are probably a dozen using free accounts for a handful of PCs (Mom, work, home). Of course connection to a given TV peer is irrespective of whether it’s tied to an account.
Once the thieves have guided you through installing TeamViewer (if it’s not already) they can even reinforce the premise that they’re being helpful by saying, “you should increase the password from six characters to ten; it’ll make you more secure,” as they nab a screenshot of the new password before quickly closing it on your screen. It wouldn’t be tough to do this fast enough to distract/reassure the mark into not thinking another moment about it.
The (second-to) final nail in the coffin could be scrolling garbage like ‘env’ or ‘set’ in a command prompt for ominous effect, “fixing” something minor and then saying “hey this was quick, why don’t I just charge you $19.95–that’s the minimum I’m allowed to bill you for my time, or I’ll get in trouble.” That last act of buddy-ism proves I’m on your side, and you forget you even installed WhateverTeamer in the first place, let alone change the passwd or uninstall.
Some friendly banter in the middle, and I can even have a good idea of your work schedule and a starting point for when I try reconnecting to you.
Ging
Hi Bryan,
My first thought was that too, but from reading the reddit stuff, it doesn’t sound like people fell for the fake ‘overseas’ help desk calls. I took it as people with TV installed on their computer were watching their mouse move around WITHOUT letting anyone in or being on the phone previously or at the time of seeing their mouse move.
I personally think the people that got hit used their TV password more than once on other sites and one of those sites got hacked and they got in that way. I’m just still not sure who’s getting hacked though. Is it the TV account holder, or the people in that accounts ‘my computer’ list?
I’m trying to find out how because I want to know if it’s going to affect my family and clients.
There are 3 ways I use TV
1. I have a paid account and I have TV installed on my computer but it’s not listed on my account or setup for unattended access. But I am signed into my account on startup.
2. My family have the free version setup on their computers and they’re setup for unattended access and listed on ‘my list’
3. My clients have the free version setup but not setup for unattended access and not on ‘my list’. Some have it permanently installed and some install it when I’m needed (I have a personalised download link in my sig).
I’m not worried about scenario 1 getting hacked as I’m not listed anywhere or not on unattended access, but I am signed into my account on startup.
I am worried that scenario 2 and 3 will get hacked if they have TV running 24/7.
So basically I’m trying to understand who’s getting hacked and in what type of scenario above are they in when they got hacked? 1, 2 or 3? Or other scenario I’m not familiar with??
Cheers
Bryan
Interesting. I skimmed the Reddit thread but didn’t find compelling evidence to implicate TeamViewer as an entity. I’m betting you’re right about re-used passwords. AFAIK there hasn’t been a breach of the TV servers or in the screen-sharing TCP stream that could facilitate unauthorized access.
What I’d do:
– increase every local password to maximum (my biggest beef with TV is the 10 char limit, but hopefully that’ll change soon)
– changing even passwords already at 10 characters wouldn’t hurt
– advise all users to treat this password respectfully and reiterate the bad guy is in their chair if “fido1” is breached
– disable the TV auto-startup for everyone from groups 2 & 3 who can bear the potential delay to manual startup
I understand hesitance to tell paying clients there may be a vulnerability in an app you recommend, but maybe notify family to be extra vigilant–the additional candor may protect them the most.
And lastly, advise everyone to password-lock their screens at home can benefit against malware and the cat walking across the keyboard. A shared-but-locked screen is far less worrisome.
Sowmya
To answer Ging’s query, I dont think it is just the paid accounts on TV being used. I have the free version setup and I hardly every use it. In fact the only few times I used it was to log into someone else’s system and never the other way around. However, amidst a conversation with my husband I suddenly noticed that my laptop was operating on its own. The mouse was moving across the web browser, opened a new tab and immediately opened paypal and tried to log into my account. Fortunately, we killed the wifi and didnt experience any loss, but it left me shocked and scared for security!