In the current economic climate, we are increasingly turning to remote management tools to access the workplace of an employee or customer. Not so long ago, at the words "remote access" and "port forwarding" system administrators were noticeably sad. Now you no longer need to look for compatible products to connect different types of operating systems, it is enough to install Team Viewer (TV), just start it, you don't even have to install it. Moreover, in TV, you can also call, see the interlocutor, hear his surprised voice, and now you are already "moving" with the mouse over someone else's desktop. But how does it work? What pitfalls here can threaten sysadmins? In this article, I want to consider the principle of operation of this most popular software, and also compare with analogues - Anydesk, AmyAdmin, Radmin, Google remote desktop, Dameware and Lite Manager.
Team Viewer
- Team Viewer GMBH 2005 .
- - , Windows, Linux, MacOS, Android Chrome app IoT enterprise — . - - ( ) . - Flash.
- .
- , , , AES-256, — RSA-4096.
- Team Viewer , . – .
NAT
I think it's unnecessary to talk a lot about NAT on Habré. Briefly - the mechanism translates local IP-addresses of networks to external public and routed on the Internet and vice versa. Works at the edge of the network.
However, when talking about TV, it is important to remember the basics and briefly retell the RFC classification of NAT networks to understand the possible options for establishing a connection:
- Full cone NAT or NAT one-to-one - unambiguous translation of pairs. All packets from the internal IP address: port pair go through the external IP address: port pair. Any external host can forward packets to an internal address: port over an external IP address: port pair, provided this is allowed by the firewall.
- Restricted Cone NAT – («») : . , NAT , . c — .
- Port-restricted Cone NAT – , , , .
- Symmetric NAT or symmetric NAT - with this connection, the inside address: port is converted into a random free pair - outside address: port. Since the pair is dynamic - even if the same internal host sent a connection from the same port to another destination, the mapping pair changes dynamically. As a result, the external host can only send the packet back to the internal host. In this case, connection initiation from the public network is not possible.
There are also NAT implementations that combine these principles and, as a result, behave uniquely.
About the basic principles of TV
Team Viewer is both a server and a client at the same time. The TV application uses proxy servers on the Internet for keep-alive connections. The VP connection type is selected and installed by the TV itself.
The developers do not disclose the exact algorithm, however, according to the analysis of the log as a whole, the options are as follows:
- A connection with two external IPs, without NAT is the simplest and most common case of establishing a VPN connection, which is not interesting for us.
- IP- . , , , , . IP - TV. TCP UDP-. UDP hole punching. – , TV , . TV . , , , . . , TV, , , . , «firewall pinhole» .
- «» IP, (NAT). , NAT . TV https-. . – . , TV. 4G- hotspot .
Despite the huge simplification of connection tasks, the disadvantages of such control systems directly follow from their advantages:
TV has quick support versions that do not require installation or administrator rights and even start from a USB flash drive. It is enough to give the person a link-link to the program. Such a version can be generated with a pre-known password, and although there is a limit for a single session of 5 minutes, this is quite enough to gain a foothold and seize control of the OS, or to obtain secret data.
TV has given a powerful impetus to the development of remote access and control programs. There are dozens of alternatives - among the well-known in our country Anydesk, AmyAdmin, Radmin, Google remote desktop, Dameware, Lite Manager. While the 2020 pandemic has sparked an incredible increase in demand, not all vendors have grown as big as TV to keep up with security concerns.
Amyadmin. In 2016, he is notorious for surviving an attack on his website, as a result of which the official distribution was installed along with the Lurk Trojan. Although the problem has been fixed long ago, it hindered the popularity of the product.
Anydesk.A sensational product both in Russia and in the world, thanks to the field of near-banking fraud and trading. There is a known case of customer fraud (fraud) in Reserve Bank of India in 2019. Anydesk was offered to be put under the guise of a chat to solve problems. In 2018, unofficially modified, disguised Anydesk builds used for cybercrime were added by the Japanese from Trend Micro as virus signatures. Since then, in different antiviruses, software can work like a virus. In fact, Anydesk even has technological advantages over TV in the form of a more productive DeskRT video codec, which compresses traffic and produces 60 frames / s versus 30, as well as a more liberal license.
Chrome OS desktop- works directly from the browser, which can also be launched from a virtual machine or container. An example is the Google Chrome remote desktop in an isolated environment (application guard technology) for the Windows 10 Edge browser. At the same time, the application has no connection with the main OS, no access to disks or the clipboard; when the window is closed, the container is completely destroyed.
Chrome OS desktop is free and that says it all. However, you will not be able to control your mobile device from your PC, nor can you set up your phone from your phone. In this regard, Chrome OS desktop is significantly inferior to TV.
Antiviruses still classify these programs as riskware - potentially dangerous for providing remote access. The cybersecurity community characterizes a separate category of criminals - technical support scammers. These are crooks pretending to be legitimate remote support for large corporations. The basic scheme is based on cold calling and social engineering in order to achieve the installation of a TV or similar, then their approaches are inventive:
- installation of a keylogger;
- paid renewal of "expired license keys";
- convincing the victim that they are being attacked by hackers by running commands in cmd - netstat or recursion dir / s;
- downloading or deleting confidential documents by distraction and demanding ransom;
- locking the OS by setting a startup password;
- much more beyond the scope of this article.
The first mention of such cases began in 2008. Since TV is translated into 30 languages and is popular in almost all countries of the world, many have suffered. According to statistics, TV is already used by over 300 million people.
The most powerful measures to protect connections from Team Viewer
- The software is protected by a Verisign signature.
- TV has been certified to comply with ISO 27001.
- Session recording introduced.
- The authorization protocol was changed to SRP, the keys were strengthened in TV. The exchange of keys is carried out over RSA 4096 and the session is encrypted with AES 256. TV assures that "Man in the middle attack" is impossible.
- Implemented two-factor authentication for logging into a record.
- A blocking list has been introduced for incoming connections including those outside the original network.
- The possibility of unlimited test access without authorization has been destroyed (since 2016).
Despite the measures to protect enterprises, for administrators, controls such as TV are a loss of control and a huge headache. Along with the armored gates of corporate security gateways, with authorization and control of remote users, they receive a constantly open gate through which you can access the entire intranet without opening ports, authorizing and leaving VPN session logs.
A link to the software can come from anywhere and from anyone, it is enough to have at least some access to the Internet and you can already conduct an encrypted dialogue and control the PC. And then there are BYOD (personal) devices that bring to work, where TV or its equivalent can even be installed by default.
Yes, there are DLP solutions that can detect the launch of processes and new-fangled gateways like Checkpoint or Palo Alto, analyzing and blocking traffic not by ports, but by application signatures, but they need to be identified and added. And how many such versions can there be!
If you use such software as needed, you can come to a set of recommendations that are written by the developers themselves.
Developer recommendations when using TV or analogs
- Do not leave your PC during a session.
- Record other people's sessions, if possible.
- Remove or disable software after use.
- Use software that you downloaded and installed yourself, not what was sent to you.
- Do not accept help from strangers - the "provider" or "Microsoft" will not offer to download and use such a solution.
Overall, the Team Viewer concept fascinates me. It is a revolutionary product that balances convenience, safety and functionality. It just works, you don't need to forward ports, or go into the details of routing between networks, or configure firewalls where it is simply impossible to do this. Treat it with care like a loaded gun: know who you allow to connect, regulate usage when it comes to company, and life becomes easier.
Article author: Galiulin Timur GTRch