TeamViewer: People Being Hacked

There are many reports that those using the TeamViewer application are being subjected to hacks with their bank accounts being emptied and similar problems. The details of how the attackers are breaking in are not available, but it seems likely that it is the result of unfortunate configuration settings.

If you are using TeamViewer, you should consider one or more of the following :-

  1. Stop using TeamViewer. If you do not use it, you cannot be hacked. However it should be possible to use TeamViewer safely if you follow the instructions below.
  2. Download the latest version of TeamViewer. The latest version is less likely to be vulnerable to exploits than earlier versions, and the instructions below apply to version 11.
  3. Set up the configuration as guided below. The most likely way that the attackers can get in to your computer is through an insecure configuration.
  4. Only run TeamViewer when necessary.

Another possibility is to use Bomgar which is licensed for University use – speak to the IS Servicedesk to see if it is a possibility.

Configuring Strong Random Passwords

First start the TeamViewer application:

2016-06-03_0853

We need to change the security settings, so select “Options” from the “Extras” menu, and select “Security” on the tab down the left-hand side. For OSX, the menu options are slightly different – “TeamViewer”, and then “Preferences” and the appearance is different :-

2016-06-03_0949

First of all, do not configure a Personal password as a randomly generated password is better (although for unattended access a personal password is required, but in this case you should use a long (at least 12 characters) and strong password and pay careful attention to the other steps in this guide).

And do not configure “Grant easy access”.

The next thing is to change the password strength of the random password to “Very Secure” :-

2016-06-03_0952

Whilst “Very secure” might seem a little extreme, it is not so extreme whilst an active attack is ongoing – and I suspect weak random passwords are the way in for the attackers.

One further thing we need to do is to go to the “Advanced” tab and show the settings :-

2016-06-03_1034

In the “Advanced settings for connections to this computer” we want to change the “Random password after each session” to “Generate new” :-

2016-06-03_1037

This causes TeamViewer to change the random password after each session.

Configuring Rules for Connecting

If you use a TeamViewer account, there are a few other things we can set up. On the very same page of settings we have a set of rules we can configure to determine who can connect :-

2016-06-03_0955

The first option is specifying whether a TeamViewer client can use the logon screen; leaving it set to “Not allowed” is the most secure option here.

The next thing to do is to set up a whitelist; click on the “Configure” button next to the “Black and whitelist” :-

2016-06-03_1040

The “Allow access only for the following partners” needs to be selected – by default this works as a list of people who are not allowed to connect, and filling in that list could be quite tedious! By only allowing specified “partners” to connect we can limit this list to just your account.

Click on “Add” and select yourself. The whitelist will be updated to include your name :-

2016-06-03_1042

(Obviously the name you see will be different here)

Configuring Two-Factor Authentication

Lastly, it is very strongly recommended that you set up two-factor authentication on your TeamViewer account. To begin with you will need an authenticator app on your phone such as the Google Authenticator (the one I used).

Log in to the web page at https://login.teamviewer.com/ and you should get to the management console with a web page that has the following at the top left :-

2016-06-03_1056

At this point select your name at the right which should drop down a menu :-

2016-06-03_1058

Select the “Edit profile” option and you should see a “Profile settings” screen displayed which will include :-

2016-06-03_1059

Click on the “Activate” next to “Two factor authentication” to start the process; first a warning screen :-

2016-06-03_1100

The next screen shows a QR code to enable two-factor authentication in your phone’s app :-

2016-06-03_1102-obscrured

(I have obscured the QR code deliberately)

Scan this with your authenticator app, and it should be added to the list within your app, and it will generate a code to be used on the next screen :-

2016-06-03_1109

Once you activate this, you will be shown a further screen containing a special code to deactivate two-factor authentication. Record this safely – such as within your personal KeePass password store.

Once enabled, you will need to use the authenticator app to enter an additional time-based code every time you log in.

Further Information

The following links are to more information on the incidents :-

  1. http://www.tripwire.com/state-of-security/featured/teamviewer-hack-pc-hijack/
  2. http://www.theregister.co.uk/2016/06/01/teamviewer_mass_breach_report/
  3. https://www.reddit.com/r/teamviewer/comments/4ktys8/teamviewer_security_best_practices/
This entry was posted in Active Attacks, Technical and tagged . Bookmark the permalink.