2012-03-18

Who controls the remote control?

Would you click on allow?

The original story is about exploiting free product support by trying to sell premium support on non-existent issues.
Would you allow a complete stranger full control over your PC?

I've made some tests myself with two of the most prominent remote support offering: WebEx and Teamviewer.
WebEx does not allow unattended download of files: each file should be explicitly shared by the owner.
Teamviewer, instead, allows full filesystem access, and a file transfer request from the controlling end, opens a notification window on the remote side with full logging. Sadly that window can be minimized and can be easily ignored by a less expert user.

I'm not saying here that Teamviewer GmbH will exploit your computer, but there's a chance that someone using it, could.

So much for the corporate level support, but there is a whole market for personal connectivity.
I was browsing the appstore for an RDP/VNC app to control my PC, and I saw that there are plenty. Some of them even require you to install an host component on the target PC. Apparently this trend has been fueled by Microsoft, by disabling Remote Desktop on the Home edition of the latest Windows versions.
What kind of guarantee the user has that the host and the remote app don't do anything suspicious?
Most of them, don't even connect directly the client to the server, but use some kind of external gateway, to overcome NAT issues.
This a classic man-in-the-middle scheme.
Do you trust their encryption?
Do they keep a copy of your remote control session?
Nearly all of this remote control apps have file transfer capabilities:
Once you have given full access to your pc, how much it takes for the "man-in-the-middle" to download browser history, password cache, "My Documents" folder?

So, by looking at my cristal ball, I may say that the next wave of phishing malware will come in the form of free remote control tools.

No comments:

Post a Comment