How secure is TeamViewer for simple remote support?

There's a couple of differences between using a 3rd party supplier (such as teamviewer) and a direct remote control solution (eg, VNC)

Team Viewer has advantages in that it doesn't require ports to be opened on the firewall for inbound connections, which removes a potential point of attack. For example if you have something like VNC listening (and it isn't possible to restrict source IP addresses for connections) then if there is a security vulnerability in VNC, or a weak password is used, then there is a risk that an attacker could use this mechanism to attack your customer.

However there is a trade-off for this, which is that you're providing a level of trust to the people who create and run the service (in this case teamviewer). If their product or servers are compromised, then it's possible that an attacker would be able to use that to attack anyone using the service. One thing to consider is that if you're a paying customer of the service, you may have some contractual come-back if they're hacked (although that's very likely to depend on the service in question and a whole load of other factors)

Like everything in security it's a trade-off. If you have a decently secure remote control product and manage and control it well then I'd be inclined to say that that's likely to be a more secure option than relying on a 3rd party of any kind.

That said if the claims on TeamViewers website are accurate it seems likely that they're paying a fair degree of attention to security, and also you could consider that if someone hacks TeamViewer (who have a pretty large number of customers) what's the chance that they'll attack you :)


Take a look at this security analysis of TeamViewer. In short, it's definitely not secure on untrusted networks: https://www.optiv.com/blog/teamviewer-authentication-protocol-part-1-of-3

Conclusion:

It is my recommendation that TeamViewer not be used on an untrusted network, or with the default password settings. TeamViewer does support increasing the password strength to a configurable length, and using alphanumeric passcodes, but it’s unlikely that casual users will have changed this setting.Keep in mind that there is a substantial attack surface in TeamViewer that needs more analysis such as the unauthenticated, plaintext communication between client to server (over 100 commands are supported and parsed on the client side), as well as many peer-to-peer commands, routed through the gateway server. Despite the danger to this much exposed attack surface, the risk is somewhat mitigated by an extensive use of std::string and std::vector instead of C-style strings and arrays.


I just want to add an answer which I think hasn't been touched upon yet. When you connect via teamviewer to another computer, you share your clipboard with that computer (by default).

Therefore, everything you copy onto your clipboard is also copied onto the clipboard of the computer you are connected to. By installing a clipboard tracking application such as ClipDiary, on the host computer, you can keep a record of everything copied onto the clipboard by the person connecting to you.

Most of the answers here are focusing on the security of the computer being used as the host, but this is also a potential security issue for the computer connecting to the host, especially if you use a password management tool such as KeePass, as the host computer could potentially have a record of usernames and passwords (and potentially URL's if you also copy the URL from KeePass to your browser) on the clipboard history after your session is over.