PCI Compliant? (Remote access granted to compromised personal computer).

Nfoster
Nfoster Posts: 53 ✭✭

So I learned today that it is possible to assign a unassigned computer to our TeamViewer account. Thus, granting anyone who has a login to our TeamViewer account, regardless of how restricted you set their account, to assign the free version of TeamViewer using their TeamViewer login. This scenario generates IDs with "Unnamed" computers under the Connection Report and there is no way to block these.

The concern here is that if a user that has a TeamViewer login installs the free version of TeamViewer on say their home computer that could be compromised, then signs in on that computer from home to gain access to his/her work computer, then that compromised computer has all the access of that user in our environment.

I was told that there is no way to either block such Unnamed computers and that there is now way to prevent a user with a TeamViwer login from assigning computer to their account.

I am consulting with our PCI Auditor, but I am 99% sure that this would violate PCI based on the lack of Access Control. TeamViewer needs to implement some sort of Conditional Access and/or the ability to restrict assigning computer to certain accounts to restrict this behavior.

I have already tested this and I can gain access to all of my computers that are assigned from the Unnamed computer that is NOT assigned nor part of our enviroment and if compromised, who knows the end results.

Comments

  • Nvader
    Nvader Posts: 1

    Based on what you described I too was able to setup this scenario and gain access to any of the computers that my TeamViewer account has access to? This is VERY BAD!!! I had to prove this to my boss as we evalutating products for remote access to various platfoms. TeamViewer has a very good feature set and perfomance is very good. However, if they are not able to resolve this issue we may need to look elsewhere.

    According to the PCI Security Standards Council. Here is the one that this issue might fall under. Now granted this is a bit vague as they are referring to Credit Card data, but even if you have VLAN'd off that network it is still possible to jump that wall or even get the keys from the Network Administrator. TeamViewer is not making it any easier to sleep at night.

    https://www.pcisecuritystandards.org/pdfs/pci_ssc_quick_guide.pdf

    Implement Strong Access Control Measures

    1. Track and monitor all access to network resources and cardholder data. Logging systems that track user activity and stored archives can help your hosting provider pinpoint the cause in the event of a security breach or other issue.

    There are other agencies and identities that would flag this as well and one that TeamViewer would definitely would fall under is the Privacy Shield Framework.TeamViewer is based in Germany (GmbH). https://www.privacyshield.gov/welcome 

    Nfoster, I too agree. This is a very big concern. I do strongly feel that TeamViewer needs to resolve this issue. TeamViewer, I hope that you are reading my post as this is going to be a deal breaker.

  • Did you ever find a solution to this issue?

  • RainerH
    RainerH Posts: 1

    We are also looking for a way how to use Teamviewer in a PCI environment with our corporate licence. Is there any solution so far or is it only needed to enable 2 factor authentication for every technician?

  • Just wondering if there was an update to this post? Can TeamViewer be made to be PCI compliant?