After the Oldsmar attack on February 5, the FBI cautioned users of TeamViewer to review internal networks and existing access control policies. Some security experts recommended the removal of TeamViewer from use. Given the conflicting recommendations, many organizations are left wondering if they should remove TeamViewer. We decided to explore the topic with several IT experts.
What was the Oldsmar Attack?
The Oldsmar attack did not receive significant media coverage because it wasn’t successful. It did, however, have the potential to have real-world consequences. Oldsmar is a small town of 15,000 people north of Tampa, Florida. Hackers were able to connect to a computer on the city’s water treatment plant, where they took control of a computer and made changes to the sodium hydroxide (lye) levels being added to the city’s drinking water. A plant operator reversed the changes immediately with no impact on the drinking water. According to the report, the hackers accessed the network using TeamViewer, a remote access solution that gave them control over the computer.
What is TeamViewer?
According to its website, TeamViewer is a comprehensive remote access, remote control, and remote support solution that works with almost every desktop and mobile platform. TeamViewer allows remote control of a target computer when its software is installed on both devices. It is free for non-commercial use and can be downloaded from the company’s website.
Once the application is on the target computer, the user provides the remote user with the credentials necessary to identify the target. After the credentials are entered, the remote device connects to the target and assumes control. At this point, the remote user can troubleshoot the device, install software, or demonstrate how to use an application. Since its initial release, TeamViewer has expanded to include a cloud-based solution.
Is TeamViewer a Security Risk?
According to Ashu Singhal of Orion Networks, TeamViewer’s popularity and ease of use have made it vulnerable to attacks, primarily because of leaked credentials. If organizations do not activate multi-factor authentication, they increase the chances of someone accessing their network.
Compromises
In 2016, TeamViewer users reported that remote users were controlling their devices without their authorization. At the time, TeamViewer indicated the compromised user accounts were most likely the result of stolen or weak passwords. Although the company denied that the compromises were the result of their software, the company did state in 2019 that their infrastructure had been attacked in 2016, but no customer information was stolen, and the attack was stopped.
Since 2016, TeamViewer has added two features to strengthen security.
- Any new device attempting to use TeamViewer will be verified using a registration email with links to approve the device.
- All accounts are monitored for unusual activity. If unauthorized use is suspected, an email will be sent enforcing a password reset.
However, credentialing continues to be the primary vulnerability for the application.
Risks
Palindrome Consulting’s Ilan Sredni says his primary concern with TeamViewer is the proliferation of free accounts that are never shut off when employees or services providers end a relationship with a company. Remote workers may also download the software without the knowledge of security personnel. The top vulnerabilities include:
- Credentials. TeamViewer information is often sent via email or remains unchanged because the session is never closed, making it easy for hackers to gain access.
- Insiders. TeamViewer provides malicious insiders a connection to client computers which can be difficult to trace if credentials are shared.
- Updates. Many users continue to run older versions of TeamViewer that may not have the security measures of later releases.
Eric Weast of ECW Network & IT Solutions believes TeamViewer is only safe if an organization is actually using it. As Weast went on to state, “TeamViewer accounts can be secured, but it is up to the IT Department or Managed Services Provider to block unauthorized use. The network needs to be audited and any outliers removed.”
Security Measures
“No company’s solution is ever 100% safe,” according to Scott Gallupe of 403Tech. “However, TeamViewer has made every measure to secure their products.” Using the solution means taking responsibility for implementing security measures such as the following:
- Use a VPN for privileged devices and servers.
- Monitor TeamViewer usage. If it is not the authorized remote access tool, make sure it is not installed on an employee’s device by checking traffic logs.
- Collect TeamViewer logs. The solution creates several logs that can be reviewed for malicious or questionable usage patterns.
- Use Multi-Factor Authentication. TeamViewer allows for 2FA to be used, which reduces the risk of unauthorized use.
Weast recommends that companies learn how to secure all applications and establish baseline policies. His team at ECW Network & IT Solutions audit their customers to ensure that unauthorized remote support tools are blocked or removed. Using security best practices is the best way to secure any network, no matter the applications in use.
Bottom Line
TeamViewer is convenient. For example, support staff has worked with an end-user for hours but is not making any headway. Out of frustration, they ask if the user has TeamViewer. When the response is yes, they download the solution and take control of the device. The problem is fixed in five minutes, but did support remember to shut down the application? To be safe, did they uninstall it? Probably not.
No software solution is without vulnerabilities. Deciding whether to use a specific tool means weighing the risks and the benefits. Obviously, TeamViewer is not the only remote access control solution, so before deciding on a solution, investigate alternatives to find the best fit for your organization’s size and requirements. Then, secure the solution using the latest cybersecurity best practices.