TeamViewer is a great utility for remotely helping your relatives or for IT people servicing small businesses. But using it in large organizations, and especially for critical infrastructure, is rather risky, as shown in a recent attempt to poison the water of a city in Florida.
The details of the story are important, as the actual impact has been mitigated by good monitoring procedures by the employees on shift as well as by a physical limitation in the amount of the dangerous chemical that could have been released, but we’d like to focus on the broader picture. It’s easy to say “Don’t use TeamViewer”, but with lack of budget, lack of security experts on the market and lack of executive understanding of the risk and importance, using TeamViewer is just a symptom.
TeamViewer is not bad per-se. It has its place for helpdesk tasks, especially in a work-from-home scenario, even in larger organizations. But it lets you easily shoot yourself in the foot by silently exposing one or more computers (and therefore possibly a large part of your infrastructure) to the internet.
What Are The Security Risks From Using TeamViewer?
The security risks are several:
- Leaked credentials – TeamViewer’s goal is to be easy to use. Therefore credentials are easy to dictate over the phone or to be pasted in an email. But that makes them prone to leaking. Leaked credentials mean full takeover by a malicious party
- Malicious insiders – TeamViewer allows malicious insiders to just do whatever they want. To make things worse, many people go with simple defaults and that leads to credential sharing, which makes it hard to spot the malicious actor.
- 0days – TeamViewer is effectively a cloud service – both parties connect to a TeamViewer server. This allows TeamViewer to enforce security policies (e.g. brute force protection), but it is not immune to 0day vulnerabilities. One such brute-force example has been reported in 2018. Another more recent example allows phishing attacks to take control of the target machine
How to Make TeamViewer More Secure?
TeamViewer is fine when attended, i.e. when there are people on both ends, at least at the start of the connection. But because it runs in the background, the target machine can be taken over at the absence of a human observer. That’s why it’s important to take several security measures regarding TeamViewer:
- Avoid using TeamViewer, at least on servers and privileged users machines – instead, use a VPN and then SSH or RDP to the machine you need. pfSense is an open-source (and free) Firewall with VPN capabilities that are relatively easy to setup. It’s a great option, especially if the budget is tight.
- Look for TeamViewer usage across the organization – you may have a VPN, but some employees might still ignore general recommendations and run TeamViewer. You can detect TeamViewer usage by collecting traffic logs (e.g. from the Firewall). Once the logs are collected, you can use for the TeamViewer port (5983), or for TCP/443 requests to IPs with PTR records resolving to *.teamviewer.com, or (if you have an agent installed on each endpoint), look for the TeamViewer process. All of that can typically be achieved through a properly configured SIEM. Once you find the “offenders”, there are different approaches (communicate or block)
- Collect TeamViewer logs – if you have to use TeamViewer, collect its logs. It generates several types of logs, including connection logs, so those should be collected (e.g. by your SIEM) to look for potentially malicious usage patterns (e.g. out of business hours use).
- Configure 2FA – TeamViewer allows for 2FA to be setup. That reduces the risk of machine takeover by leaked credentials
- Configure whitelists – often you know where you are going to need access from. Whitelist those IPs to block any other party from gaining access.
The advice above ranges from “don’t use it at all and block it” to “if you have to use it, apply common security measures”. And we mention SIEM twice, which probably sounds out of place in the context of smaller organizations that can’t afford a proper Firewall, let alone a SIEM. This is one of the reasons we at LogSentinel bring SIEM to mid-market organizations and even SMEs with predictable and affordable pricing.
Looking at the broader picture, organizations need people and easy to use tools in order to both get their job done and at the same time mitigate security risks. People are expensive and hard to find, and “easy” and “secure” rarely go hand in hand. But “bashing” TeamViewer for the risks it introduces because of its ease of use will get us nowhere. More importantly, a security-conscious leadership, an affordable (or open-source) firewall and a good SIEM can greatly reduce security risks, including those related to TeamViewer, and that’s the direction we should be taking.
Learn more about how LogSentinel SIEM can mitigate the security risk of using TeamViewer:
Bozhidar Bozhanov is co-founder and the CEO at LogSentinel. He is a senior software engineer and solution architect with 15 years of experience in the software industry. Bozhidar has been a speaker at numerous conferences and is among the popular bloggers and influencers in the technical field. He’s also a former government advisor on e-government, transparency and information security.
