TeamViewer users are being hacked in bulk, and we still don’t know how
on
Get link
Facebook
X
Pinterest
Email
Other Apps
Dan Goodin
For more than a month, users of the remote login service
TeamViewer have taken to Internet forums to report their computers have
been ransacked by attackers who somehow gained access to their accounts.
In many of the cases, the online burglars reportedly drained PayPal or
bank accounts. No one outside of TeamViewer knows precisely how many
accounts have been hacked, but there's no denying the breaches are
widespread.
Over the past three days, both Reddit and Twitter
have exploded with such reports, often with the unsupported claim that
the intrusions are the result of a hack on TeamViewer's network. Late on
Friday afternoon, an IBM security researcher became the latest to report a TeamViewer account takeover.
"In the middle of my gaming session, I lose control of my
mouse and the TeamViewer window pops up in the bottom right corner of my
screen," wrote Nick Bradley, a practice leader inside IBM's Threat
Research Group. "As soon as I realize what is happening, I kill the
application. Then it dawns on me: I have other machines running
TeamViewer!"
He continued:
I run downstairs where another computer is still up and
running. Lo and behold, the TeamViewer window shows up. Before I am able
to kill it, the attacker opens a browser window and attempts to go to a
new web page. As soon as I reach the machine, I revoke control and
close the app. I immediately go to the TeamViewer website and change my
password while also enabling two-factor authentication.
Lucky for me, those were the only two machines that were
still powered on with TeamViewer installed. Also lucky for me is the
fact that I was there when it occurred. Had I not been there to thwart
the attack, who knows what would have been accomplished. Instead of
discussing how I almost got hacked, I’d be talking about the serious
implications of my personal data leak.
Bradley's account came a few hours after Germany-based TeamViewer
reaffirmed what it has steadfastly maintained for the past two
weeks—that the account takeovers are the result of end users' careless
passwords practices. In a statement, company officials alluded to the recent cluster of "megabreaches" that have dumped more than 642 million passwords into the public domain over the past month. The officials wrote:
As you have probably heard, there have been unprecedented
large scale data thefts on popular social media platforms and other web
service providers. Unfortunately, credentials stolen in these external
breaches have been used to access TeamViewer accounts, as well as other
services.
We are appalled by the behaviour of cyber criminals and are
disgusted by their actions towards TeamViewer users. They have taken
advantage of common use of the same account information across multiple
services to cause damage.
The statement went on to announce two measures being
introduced in response to the large number of reported TeamViewer
hijackings. The first, dubbed "Trusted Devices," ensures that before a
device can access an existing TeamViewer account for the first time, the
account holder must explicitly confirm that the new device is trusted.
TeamViewer is implementing the measure using an in-app notification that
asks account holders to approve the device by clicking a link sent
through e-mail.
The second measure, called "Data Integrity," provides automated monitoring that detects when an account has been hacked.
"The system determines continuously if your TeamViewer
account shows unusual behavior (e.g. access from a new location) that
might suggest it has been compromised," Friday's statement explained.
"To safeguard your data integrity, your TeamViewer account will be
marked for an enforced password reset."
TeamViewer spokesman Axel Schmidt told Ars that TeamViewer
officials initially planned to introduce these security features later
this year. The growing number of public posts reporting TeamViewer
account takeovers prompted the early roll out, he said.
The account provided by Bradley, the IBM security
researcher, is consistent with TeamViewer's position that the takeovers
are the result of compromised passwords. Bradley said he had forgotten
he had the remote login software installed on his computers, and the
compromise was "most likely due to me not changing my leaked password."
Not that TeamViewer's public response has been much better.
Representatives often go days or weeks without issuing any sort of
statement, even though it's clear that a significant number of
users—likely in the hundreds or thousands—are being hit by attacks that
expose their most sensitive data. When company officials do respond,
they issue terse press releases that omit important details. TeamViewer,
for instance, has yet to address reports that some of the attacks have
successfully bypassed its two-factor authentication protection, or that
the attacks worked against accounts protected with strong passwords.
TeamViewer's claim that the surge in attacks is tied to the
massive number of passwords that recently entered the public domain is
plausible, but it's likely not the only contributing factor. It wouldn't
be surprising if weaknesses in TeamViewer software are also involved.
One possibility: a login mechanism that allows attackers to try large
numbers of passwords without being locked out. Another: a flaw that
allows attackers to circumvent two-factor protections. To date,
TeamViewer's public statements leave users with a sense the company
isn't providing a thorough accounting of what it knows, and that in turn
gives way to mistrust and conspiracy theories.
Ars is calling on end users and network administrators who
have been hit by this attack to provide log files in the hours leading
up to the compromise. We'll show those files to researchers who will
attempt to pinpoint common causes. Readers can submit their logs by
emailing me at the the address found here.
In the meantime, TeamViewer users should ensure their
accounts are protected with a randomly generated password that's at
least 10 characters long, contains numbers, symbols, and upper- and
lower-case letters, and is unique. It's also a good idea to run
TeamViewer only when it's truly needed, rather than allowing it to
autostart each time a computer is turned on. How-To Geek has a thorough
guide on locking down TeamViewer here.
TeamViewer engineers certainly have the ability to perform
log analyses, presumably at a much more granular level than any
outsiders can. But there's more to these compromises than what
TeamViewer has said to date, and it's time we all learned what it is.
Comments
Post a Comment