Remote-control tool wobbles offline, blames bad passwords for compromises
TeamViewer users say their computers were hijacked and bank accounts emptied all while the software company’s systems mysteriously fell offline. TeamViewer denies it has been hacked.
In the past 24 hours, we’ve seen a spike in complaints from people who say their PCs, Macs and servers were taken over via the widely used remote-control tool on their machines. Even users with strong passwords and two-factor authentication enabled on their TeamViewer accounts say they were hit.
It appears miscreants gained control of victims’ TeamViewer web accounts, and used those to connect into computers, where they seized web browsers to empty PayPal accounts, access webmail, and order stuff from Amazon and eBay.
“Hackers got everything from me,” Doug, an Idaho-based Twitch streamer who was looking forward to celebrating his birthday today with his wife and two kids, told The Register.
“They remote connected in at 5AM MT, went into my Chrome and used my PayPal to buy about $3k worth of gift cards. And yes, I had two-factor authentication.”
Over on Reddit, people were lining up with tales of their systems being compromised via TeamViewer, sparking fears the platform had been hacked. TeamViewer makes remote-control clients for Windows, OS X, Linux, Chrome OS, iOS and Android.
“I never expected this to happen, but it did,” wrote Redditor Eric1084.
“When I sat down on my chair, I saw my mouse is moving across the screen. Of course, I immediately revoked remote control, and asked who [the hacker] is. At that point, he disconnected, and attempted to connect to my Ubuntu server, which has all my backups. Good thing I connected to [the server] right after he remote’d into my workstation. I revoked his permission before he tried to open Firefox. Immediately after, I started panicking, and thought he just stole all my passwords.”
Another Redditor, famguy07, added: “I had the same thing happen to me tonight. Luckily I was playing Rocket League. I terminated [the connection] after less than 10 seconds. Once it clicked in my brain what had happened, I logged into my server and exited TeamViewer to deal with it later.”
Pouring further fuel on the fire that TeamViewer had been infiltrated by criminals, at about 0700 Pacific Time (1500 in the UK) today TeamViewer suffered an outage lasting at least three hours, which knocked its website offline and left people unable to connect to their computers remotely.
It’s claimed TeamViewer.com’s DNS was screwed up during the IT snafu, thus stopping people from getting through to the Germany-based company’s servers. We’ve heard that its DNS servers were pointing towards Chinese IP addresses at one point, but we haven’t been able to verify that.
TeamViewer has said sorry for the downtime.
We are currently experiencing issues in parts of our network. We apologize for any inconveniences caused.
— TeamViewer Support (@TeamViewer_help) June 1, 2016
After getting its systems back online, TeamViewer insisted that its security was not breached. In a statement bizarrely dated last week but referencing today’s events, the biz instead blamed “careless use” of passwords by its customers. People aren’t using strong enough credentials, or are reusing passwords from websites that have been hacked – such as LinkedIn and Tumblr, we’re told.
“Users are still using the same password across multiple user accounts with various suppliers. While many suppliers have proper security means in place, others are vulnerable,” the company said.
@TheRegister Please know we have no security breach. We’re experiencing issues in parts of our network. We’re sorry for the inconvenience.
— TeamViewer Support (@TeamViewer_help) June 1, 2016
TeamViewer spokesman Axel Schmidt told The Register by phone from Germany tonight that his company has not found any sign of a breach, and suggested people who have been hijacked contact the police.
It is possible that some folks have been caught out by password reuse, or by weak passwords, or by a Windows Trojan disguised as an Adobe Flash update that’s doing the rounds using TeamViewer to backdoor machines.
Yet, we’ve heard from people who have used passwords unique to TeamViewer, who have enabled two-factor authentication, and have found no malware on their computers, losing control of their systems in the past few days via TeamViewer. It’s possible the DNS cockup was part of an elaborate plan by cyber-fiends to intercept people’s logins and swipe their passwords, but the company is adamant there was no security breach.
If you do use TeamViewer, now would be a good time to triple check your password and security settings to keep miscreants out, and inspect your connection logs and your web browser history for any unauthorized accesses. ®
Updated to add
In a second statement today, TeamViewer said its DNS systems fell offline because they were pummeled by a denial-of-service attack. “TeamViewer experienced network issues because of the DoS-attack to DNS servers and fixed them,” the biz said. “There is no security breach at TeamViewer.”
TeamViewer users are being hacked in bulk, and we still don’t know how
For more than a month, users of the remote login service TeamViewer have taken to Internet forums to report their computers have been ransacked by attackers who somehow gained access to their accounts. In many of the cases, the online burglars reportedly drained PayPal or bank accounts. No one outside of TeamViewer knows precisely how many accounts have been hacked, but there’s no denying the breaches are widespread.
Over the past three days, both Reddit and Twitter have exploded with such reports, often with the unsupported claim that the intrusions are the result of a hack on TeamViewer’s network. Late on Friday afternoon, an IBM security researcher became the latest to report a TeamViewer account takeover.
“In the middle of my gaming session, I lose control of my mouse and the TeamViewer window pops up in the bottom right corner of my screen,” wrote Nick Bradley, a practice leader inside IBM’s Threat Research Group. “As soon as I realize what is happening, I kill the application. Then it dawns on me: I have other machines running TeamViewer!”
I run downstairs where another computer is still up and running. Lo and behold, the TeamViewer window shows up. Before I am able to kill it, the attacker opens a browser window and attempts to go to a new web page. As soon as I reach the machine, I revoke control and close the app. I immediately go to the TeamViewer website and change my password while also enabling two-factor authentication.
Lucky for me, those were the only two machines that were still powered on with TeamViewer installed. Also lucky for me is the fact that I was there when it occurred. Had I not been there to thwart the attack, who knows what would have been accomplished. Instead of discussing how I almost got hacked, I’d be talking about the serious implications of my personal data leak.
Bradley’s account came a few hours after Germany-based TeamViewer reaffirmed what it has steadfastly maintained for the past two weeks—that the account takeovers are the result of end users’ careless passwords practices. In a statement, company officials alluded to the recent cluster of “megabreaches” that have dumped more than 642 million passwords into the public domain over the past month. The officials wrote:
As you have probably heard, there have been unprecedented large scale data thefts on popular social media platforms and other web service providers. Unfortunately, credentials stolen in these external breaches have been used to access TeamViewer accounts, as well as other services.
We are appalled by the behaviour of cyber criminals and are disgusted by their actions towards TeamViewer users. They have taken advantage of common use of the same account information across multiple services to cause damage.
The statement went on to announce two measures being introduced in response to the large number of reported TeamViewer hijackings. The first, dubbed “Trusted Devices,” ensures that before a device can access an existing TeamViewer account for the first time, the account holder must explicitly confirm that the new device is trusted. TeamViewer is implementing the measure using an in-app notification that asks account holders to approve the device by clicking a link sent through e-mail.
The second measure, called “Data Integrity,” provides automated monitoring that detects when an account has been hacked.
“The system determines continuously if your TeamViewer account shows unusual behavior (e.g. access from a new location) that might suggest it has been compromised,” Friday’s statement explained. “To safeguard your data integrity, your TeamViewer account will be marked for an enforced password reset.”
TeamViewer spokesman Axel Schmidt told Ars that TeamViewer officials initially planned to introduce these security features later this year. The growing number of public posts reporting TeamViewer account takeovers prompted the early roll out, he said.
Drinking from the firehose
Watching all the TeamViewer-related tweets and Reddit comments scroll by in real time is like drinking from a firehose. While reports of infected computers and drained accounts have reached a deafening crescendo over the past 48 hours, similar stories have been circulating for more than six months. “Teamviewer hacked to allow intruder on my desktop!” one post from December reads. “Someone got into my TeamViewer account and apparently tried to send themselves money with eBay and PayPal. What can I do to figure out what else was done?” a TeamViewer user pleaded on Reddit last month.
Many of the posts claim the takeovers are the result of a breach in TeamViewer’s network, and they’re being repeated so often that they’re taking on the power of urban legend. A denial-of-service attack that disrupted TeamViewer’s domain name system infrastructure for a few hours on Wednesday, for instance, became proof the TeamViewer domain name had been commandeered through a technique known as DNS hijacking. So far, no one has unearthed any evidence of TeamViewer’s name servers using any unauthorized IP addresses, but that hasn’t stopped claims like this one from circulating widely. Besides there being no factual basis for any DNS spoofing, the theory makes little sense, since the hijacking would have taken place months after the account takeovers started.
The account provided by Bradley, the IBM security researcher, is consistent with TeamViewer’s position that the takeovers are the result of compromised passwords. Bradley said he had forgotten he had the remote login software installed on his computers, and the compromise was “most likely due to me not changing my leaked password.”
Not that TeamViewer’s public response has been much better. Representatives often go days or weeks without issuing any sort of statement, even though it’s clear that a significant number of users—likely in the hundreds or thousands—are being hit by attacks that expose their most sensitive data. When company officials do respond, they issue terse press releases that omit important details. TeamViewer, for instance, has yet to address reports that some of the attacks have successfully bypassed its two-factor authentication protection, or that the attacks worked against accounts protected with strong passwords.
TeamViewer’s claim that the surge in attacks is tied to the massive number of passwords that recently entered the public domain is plausible, but it’s likely not the only contributing factor. It wouldn’t be surprising if weaknesses in TeamViewer software are also involved. One possibility: a login mechanism that allows attackers to try large numbers of passwords without being locked out. Another: a flaw that allows attackers to circumvent two-factor protections. To date, TeamViewer’s public statements leave users with a sense the company isn’t providing a thorough accounting of what it knows, and that in turn gives way to mistrust and conspiracy theories.
Ars is calling on end users and network administrators who have been hit by this attack to provide log files in the hours leading up to the compromise. We’ll show those files to researchers who will attempt to pinpoint common causes. Readers can submit their logs by emailing me at the the address found here.
In the meantime, TeamViewer users should ensure their accounts are protected with a randomly generated password that’s at least 10 characters long, contains numbers, symbols, and upper- and lower-case letters, and is unique. It’s also a good idea to run TeamViewer only when it’s truly needed, rather than allowing it to autostart each time a computer is turned on. How-To Geek has a thorough guide on locking down TeamViewer here.
TeamViewer engineers certainly have the ability to perform log analyses, presumably at a much more granular level than any outsiders can. But there’s more to these compromises than what TeamViewer has said to date, and it’s time we all learned what it is.
Post your thoughts below in the comment section.