In the past weeks there have been news articles claiming the widely used remote control solution TeamViewer had been breached.
A TeamViewer spokesman speaking with Arstechnica said that ‘the number of takeovers was "significant," but he continued to maintain that the compromises are the result of user passwords that were compromised through a cluster of recently exposed mega-breaches.'
Some users, however, also reported breaches even when two-factor authentication was used, but TeamViewer is said to have investigated these instances when log files were provided and found no evidence of two-factor authentication being breached. The hack means that everyone who has the solution installed, needs to either change their password, access-code, and needs to see if unwanted payments have been done.
What exactly happened with TeamViewer?
Users of TeamViewer saw the TeamViewer-box pop-up, saw their mouse move and even noticed payments were completed through eBay or PayPal accounts, without the consent of the user behind the keyboard. But does this mean TeamViewer was hacked?
The official answer from TeamViewer is ‘no'. The people who have access to remote machines could have used weak passwords, or re-used passwords to have ease-of-use while logging in. When this password is breached, an outsider can take over machines that are under remote control. On the other hand, users with strong, unique passwords were also compromised. There was no real proof (presented) whether or not TeamViewer itself was hacked, but 642 million user-accounts are now considered to be out in the open. The reports of compromised user however show it was an attack targeted on TeamViewer users (the remote control side). At the time of writing, the investigation is not yet closed.
Instead of trying to point the finger at who is at blame, it might be a better idea to first secure yourself and start solving the issue. As such, TeamViewer itself has released two new features and forced a reset of the login password:
Whitelist TeamViewerID: All previously approved incoming connections need to be confirmed once again to allow the remote-control. So if the IT-admin, helpdesk-employee, or yourself, are logging in to remote machines, the user behind the keyboard needs to approve this connection.
Data Integrity: This feature will track the ‘normal' behaviour and alerts whenever control is done from a non-standard location.
Password Reset: TeamViewer has marked ALL user accounts to renew their password. This means that every TeamViewer User account needs to enter a new password. If the credentials were stolen, they are now rendered useless.
There is another feature in TeamViewer that can be enabled. This is called 2FA, or two-factor-authentication. When 2FA is enabled it makes any account that little bit safer on the login-side and works by using one ‘static' password and one variable one that changes with each login and is sent to either your phone or any device of your choosing.
How do I know I'm compromised and what can I do?
There are a few steps to learn if your machine has been compromised including:
- Checking for any unexplainable use of your eBay or PayPal accounts amongst others
- Investigate if there were any changes to settings within your machine
- Go through your browsing history and check for any anomalous entries
- Look through your email's sent items for any unusual activity
- If you are more of a seasoned user, you can also check your TeamViewer logs.
- After checking for any unusual activity on your machine, you will then need to further protect yourself so don't forget to:
- Change passwords to any misused platforms (eBay, PayPal, even gaming-accounts) as soon as possible and do not allow the browser to remember the passwords; instead use a password-manager (this also avoids you from re-using passwords).
- Contact the respective payment platform to start the reimbursement procedure.
How about a free tool to help you in the future?
These steps will unfortunately not alert you to the fact that your computer might still be remote controlled. Luckily, our very own Nicholas Aquilina, a Security Researcher here at GFI Software has created a script that will let you know, either via SMS or email, about whether your machine is being remotely controlled. The .zip file can be downloaded by clicking here.
How does it work?
The script (in form of an exe-file) will continuously watch the TeamViewer11_Logfile.log file and as soon as someone connects and the TeamViewerID is NOT whitelisted, it will notify you via either SMS or e-mail. An SMS can be sent through services like Clickatell, alternatively an email can be sent through your own ISP/mailserver to an address of your choosing.
To enable this external alerting-feature:
- Unzip the file found here,
- Open the folder and open the config.ini with notepad (instructions about values are mentioned in the comments within the file)
- Save, close and run TeamViewerLogMonitor.exe
Access of the machine by non-whitelisted TeamViewer is now being monitored. If anything unusual is detected, an SMS or email (or both) will be sent to the configured recipients. This script will not stop any connections, but will only alert you when a machine is taken over.