After checking the individual security settings the TeamViewer software offers, we want to provide some background information about the Data Centers and the Backbone of our infrastructure, as well as some information about encryption, authentication and validation.
We want you to feel safe and secure, knowing that TeamViewer focuses on the highest standards and provides a strong and secure platform for you.
Data Centers and Backbone
All TeamViewer servers are housed in state-of-the-art data centers that are compliant with ISO 27001 and leverage multi-redundant carrier connections and redundant power supplies. These include RAID array data protection, data mirroring, data backup, highly available server storage, and router systems with disaster recovery mechanisms and procedures in place to deliver continuous service. Additionally, all servers storing sensitive data are in Germany or Austria.
The data centers have implemented state-of-the-art security controls, which means that personal access control, video camera surveillance, motion detectors, 24×7 monitoring, and on-site security personnel ensure access to the data center is only granted to authorized persons and guarantees the best possible security for hardware and data. There is also a detailed identification check at the single point of entry to the data center.
As an additional security feature, all of our software is signed via DigiCert Code Signing.
In this manner, the publisher of the software is always readily identifiable. If the software has been changed afterward, the digital signature automatically becomes invalid.
How are sessions created
When establishing a session, TeamViewer determines the optimal type of connection. After the handshake through our master servers, a direct connection via UDP or TCP is established in 70% of all cases (even behind standard gateways, NATs, and firewalls). The rest of the connections are routed through our highly redundant router network via TCP or https tunneling.
You do not have to open any ports in order to work with TeamViewer.
Encryption and authentication
TeamViewer traffic is secured using RSA public/private key exchange and AES (256-bit) session encryption. This technology is used in a comparable form for https/SSL and is considered completely safe by today’s standards.
As the private key never leaves the client computer, this procedure ensures that interconnected computers—including the TeamViewer routing servers—cannot decipher the data stream. Not even TeamViewer, as the operator of the routing servers, can read the encrypted data traffic.
All Management Console data transfer is through a secure channel using TLS (Transport Layer Security) encryption, the standard for secure Internet network connections. Secure Remote Password protocol (SRP), an augmented password-authenticated key agreement (PAKE) protocol, is used for authorization and password encryption. An infiltrator or man-in-the-middle cannot obtain enough information to be able to brute-force guess a password. This means that strong security can even be obtained using weak passwords. However, TeamViewer still recommends adhering to industry best practices for password creation to ensure the highest levels of security.
Each TeamViewer client has already implemented the public key of the master cluster and can thus encrypt messages to the master cluster and check messages signed by it. The PKI (Public Key Infrastructure) effectively prevents “man-in-the-middle-attacks” (MITM). Despite the encryption, the password is never sent directly but only through a challenge-response procedure and is only saved on the local computer. The password is never transferred directly during authentication because the Secure Remote Password (SRP) protocol is used. Only a password verifier is stored on the local computer.
Validation of TeamViewer IDs
TeamViewer IDs are based on various hardware and software characteristics and are automatically generated by TeamViewer. The TeamViewer servers check the validity of these IDs before every connection.
Prospective customers who inquire about the security of TeamViewer regularly ask about encryption. Understandably, the risk that a third party could monitor the connection or that the TeamViewer access data is being tapped is feared most. However, the reality is that rather primitive attacks are often the most dangerous ones.
Find a detailed description of the Brute-Force protection here:
TeamViewer has been designed to work without opening up specific ports to make a connection, and you also do not need to turn off your firewall.
TeamViewers powerful software allows you to keep your device fully secured while making or performing remote connections.
Find a detailed description of the TeamViewer Ports and more information here:
Destination IP Addresses
The TeamViewer software will connect you to your partner via the most suitable router. The router's location depends on many parameters, mainly availability and performance. Our master server infrastructure is located in Germany. These servers use a number of different IP address ranges, which are also frequently changing. As such, we are unable to provide a list of our server IPs. However, all of our IP addresses have PTR records that resolve to *.teamviewer.com. You can use this to restrict the destination IP addresses that you allow through your firewall or proxy server.
Having said that, from a security point-of-view, this should not really be necessary – TeamViewer only ever initiates outgoing data connections through a firewall, so it is sufficient to block all incoming connections on your firewall simply and only allow outgoing connections over port 5938, regardless of the destination IP address.