teamviewer.com link icon
or
Ask The Community

Bug or security problem?

I recently started up my computer, and shortly after login, noticed the TeamViewer "active session" sidebar arrow -- the little "tab" on the lower right corner of the screen indicating that there is a remote user connected. I was concerned because I should be the only one with remote access to my computer. I expanded the tab and saw the normal session list interface, but there were no active session listed. I clicked the "X" in the corner to close it, and was prompted to choose between closing the session(s) and just closing the interface -- I selected to close the session.

I opened the log directory and first checked "connections_incoming.txt" -- no entries since last week. I looked at "TeamViewer15_Logfile.log", and there's a huge amount of debugging information. The only thing that concerned me there was a line that says"VoIP: Meeting session created: MeetingID = m000-000-00, ParticipantID = [{my TV ID},{another ID}], MeetingGUID = " (line ends after "MeetingGUID = "). The "another ID" appears in a lot of other places and might be specific to the PC in question.

This was during initial TV startup, I think. After that there's a ton of granular information about the VoIP service, requesting endpoints, establishing pipelines, whatever, and at the same time the rest of the TV components and services are getting set up, all in the span of maybe 20 seconds.

Eventually, I start seeing lines like

VoIP: System performance (last 10s): CPU load of system = 79%

VoIP: AudioControl: Current capturing endpoint: "Default Communication Device"

VoIP: AudioControl: Current rendering endpoint: "Default Communication Device"

VoIP: AudioControl: Previous capturing endpoint volumes: Histogram (#samples=60): Range = [0,1)+=0.1, FF = .........A

This repeats for a while until the system goes to sleep, then continues from when I wake it up until I notice the weird empty session list described above. I think that's around the time where the logs show a bunch of lines like "VoIP: Sender: Terminate" and other things that sound like a shutdown process.

This computer doesn't even have a microphone (desktop PC, nothing connected) so I'm pretty sure nobody was connected in and eavesdropping. I checked my TV account online and it only showed connections from my area ("Windows 10" / my city), and I've got 2FA enabled. I'm hoping this means it was a weird bug in TV and not a hacking attempt. Is there anything else I can do to be sure?

I'm using TV 15.21.8 and there don't appear to updates available, if that matters.

Tagged:

Answers

  • Akiho
    Akiho Posts: 733 Moderator
    edited October 2021

    Hi @Thw0rted,

    Thank you for contacting TeamViewer Community.

    We would like to confirm more details. Please kindly provide us a screenshot of the error message. 

    So that we may assist you further.

    Thank you in advance for your understanding and patience.

    Best Regards,

    Akiho


    Japanese Community Moderator / コミュニティモデレーター

  • Thw0rted
    Thw0rted Posts: 14 ✭✭

    Hi Akiho, unfortunately I didn't grab a screenshot of the empty session list tab before I closed it, and it doesn't seem to have happened again since. I can PM you a portion of my logs if you like (I assume there's personal information in them not fit for posting here). I'm mostly just trying to figure out if what appears to be an active VoIP session, when nobody is connected, is either normal behavior or a known issue with the current build.

    I'm not in front of the machine right now but will try to get the log file sent over when I have access to it.

  • Thw0rted
    Thw0rted Posts: 14 ✭✭

    I sent a PM with a portion of the log file, if that helps.

  • Thw0rted
    Thw0rted Posts: 14 ✭✭

    Hi @Akiho_S , I had a similar issue just now on a different system. Is there any kind of record, either on the local computer or in my online profile, that would help me identify whether there was actually an active connection, and if so, what device / IP it came from? I see a "connections_incoming.txt" in the log file directory but that only has start and stop date/time , plus an account name and number.

  • Akiho
    Akiho Posts: 733 Moderator

    Hi @Thw0rted,

    Thank you for respecting the Community guideline, and thank you for coming back to the Community🍀

    Unfortunately, we are not able to individually review peoples logfiles in the Community.

    As you have seen, they contain a lot of technical information and are not for the layman. However, we do have a basic guide on this here.

    I spoke with @Scotty who is one of our Support Engineers who deals with logfiles and assisted with the guide above and he confirmed that the logs you provided are a blank meeting with no other participants.

    Meeting session created: MeetingID = m000-000-00
    

    It is important to note the "little tab" doesn't just indicate that someone is connected to you. It is a control panel for many things including meetings.

    In this case, the fact that the panel gave you the option to close it without closing the session means it can NOT have been for an incoming session. (It is impossible to close the panel for an incoming session without closing the session for security reasons). The panel can only be closed for outgoing sessions (it is used for outgoing sessions in many circumstances) or meetings. So if the time stamp in the logs matches, based on all the information you gave, I would say that this was a meeting with no participants.

    For future though, as prevention is always better than cure I would recommend you set up an Allowlist so that you can be sure you are the only one that has access. We have a guide on our best practices here.


    Hope this would be helpful.

    Let us know if you have any other questions!

    Akiho


    Japanese Community Moderator / コミュニティモデレーター

  • Thw0rted
    Thw0rted Posts: 14 ✭✭

    Thank you for the links, Akiho, I will definitely read more about your security best-practices.


    I didn't mention it last night, but this time I was sure to poke around in the panel before trying to close it, and even managed to get a picture. (I didn't do a screenshot because I wasn't sure if the overlay method TV uses would capture correctly)


    Within a minute or so after turning the computer on, I noticed the panel. The entry I've blacked out in the Session list is my full name (TV username) and the correct TV user number for my account, confirmed in the "About" section of the Android app. The session list entry was there from the start. I clicked the Video and Chat buttons myself, those weren't open to start with -- I tried sending a chat message to see if it would show up on one of my other signed-in devices, but it didn't as far as I can tell. Eventually, I used the drop-down arrow next to my name in the session list to "close session", before shutting the computer down when I was done with it.

    This is why I wanted to see how to tell where an incoming session comes from, because I think this is the same way the panel looks when I make a connection from one of my devices to another. As I said I'll read through the guides, but any other advice you can give would be appreciated.

  • Thw0rted
    Thw0rted Posts: 14 ✭✭

    I had a chance to review your links and I'm still not sure if this is a bug or somebody logging in using my account. In the page about reading log files, I saw

    All successful connections are listed in the Connections_incoming.txt log that you can find in your TeamViewer folder

    and there is in fact a line in that file that matches with the time when I turned on the computer, so it looks like there was some kind of successful connection attempt. I was able to go through all the steps on that page, and find log lines matching the successful authentication "story":

    Stage 1, I see

    CommandHandlerRouting[1490]::CreatePassiveSession(): incoming session via DE-FRA-XXXX-XXXX.teamviewer.com, protocol Port443
    
    

    which sounds like a region that's near me (DE-FRA). Stage 2, I see

    CLoginServer::CheckIfConnectionIsAllowed()
    CLoginServer::AuthenticateServer()
    

    as documented. Stage 3 gets a little weird. I see

    LookupPublicKeyV2: Manager {~keyabcd1234} does not have EasyAccess right, reject Authentication
    

    but the next two lines are

    AuthenticationPublicKey_Passive::Verify: Success
    AuthenticationAll_PAssive::RunAuthenticationMethod: authentication was successful
    

    So, a rejection and then a success? Then I see lines that match Stage 4

    CPersistentParticipantManager::AddParticipant: [This computer's 10-digit ID, A 9-digit number] type=3 name=My Full Username
    WindowObserver::SessionStart: -1;  type: 1
    CPersistentParticipantManager::AddParticipant: [This computer's 10-digit ID, A 9-digit number] type=3 name=My Full Username
    

    Note that the first and third lines there are identical, i.e., adding the same participant twice. Some lines later I see

    CParticipantManagerBase participant My Full Username (ID [My 10-digit TV user ID, 3]) was added with role 6
    

    then a lot of VoIP setup happens, then

    CPersistentParticipantManager::AddParticipant: [My 10-digit TV user ID, 3] type=6 name=My Full Username
    


    What jumps out at me is that in the documentation, the 10-digit numbers in the first position within square brackets during Stage 4 are supposed to be user IDs, but in my case the first two are computer IDs -- somehow the "computer" is joining the session. I also noticed this log line a few lines after the SSL handshake finished:

    AcceptServer::HandleAccept: new connection from 127.0.0.1:53083
    

    Maybe that's normal, and you have a second process proxying the TCP connection or something, but it seemed strange that the connection would appear to come from localhost. There's no other sign of a source-IP or source-device-ID to tell me where the connection originated.