0

I was AFK from my Windows 10 machine, without locking it, and came back to an active TeamViewer session and someone remotely performing a PayPal donation. I do not have TeamViewer installed.

I'll reinstall my machine and make some security changes, however I'm wondering: would the same thing have been possible if my session was locked? Does locking one' session protect against any form of remote control?

schroeder
  • 123,438
  • 55
  • 284
  • 319
drake035
  • 453
  • 1
  • 4
  • 11

3 Answers3

2

TeamViewer works like physical access to the machine. The remote user would still have to log in to the Windows session, if you locked the machine. I think it can still transfer files, if I'm not mistaken. So you wouldn't be 'safe' at all. But it would be a little less convenient for the bad guy.

So locking your machine wouldn't block the attacker from connecting remotely, but it would stop him from using your active user session the way you described it.

Martin Fürholz
  • 795
  • 9
  • 21
  • Unless the TV connection was made outgoing from the machine... No login required. – schroeder Aug 10 '20 at 14:51
  • 1
    I did some experimenting: it looks like TV has closed some loopholes I used to take advantage of a long time ago (has it really been 7 years?). Yes, locking the machine would require the remote user to unlock the machine. It might be possible that using a vulnerable version of TV might bypass some of these controls and other methods of remote access might not have these types of security controls. However, if the attack already has access enough to run TV, then getting a password is not a big stretch... – schroeder Aug 10 '20 at 15:14
1

Locking the machine only blocks being able to physically interact with it. It is still running in the background, including all the networking.

So, yes, the machine is still running, even when you lock it, which means that all functions, including "backdoors" still function.

This is true even for legitimate use of Teamviewer. It is normal to keep the machine running, lock it, go home, then use TeamViewer to access your machine from home. It's how "work from home" was done for a long time for many people. The computer is still running and all the functions still work.

Sleep/suspending, on the other hand, is different.

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • I'm confused, can remote control still occur then? Meaning can somebody use Chrome on my machine, see me last pages visited, visit a website and use saved passwords, things like that? – drake035 Aug 10 '20 at 13:38
  • Of course. What is the source of your confusion? – schroeder Aug 10 '20 at 13:39
  • Well, could this particular attack have taken place if I had locked my session for instance? – drake035 Aug 10 '20 at 14:25
  • 1
    Yes, for all the reasons I stated. The machine is still running, the network is still active, etc. Try this: start a youtube video, keep the speakers on, then lock the machine. The video will just keep going. The computer is still ... computing. The network is still active. Everything is still running, even though you can't see it. – schroeder Aug 10 '20 at 14:29
  • 1
    With a regular teamviewer session you would still have to log in to your Windows session, when you locked the machine. – Martin Fürholz Aug 10 '20 at 14:40
1

Locking a Windows computer with Windows+L simply prevents the physical user from interacting with any of the processes running within your user. Any processes you have open in your user continue running and this is why you can download a file and lock your computer, and it will continue downloading while your computer is locked.

Teamviewer interacts with Windows as if an extra keyboard/mouse/monitor were plugged in. This is why anything seen through Teamviewer is the same as what the physical person in front of the computer would see. Other software, notably Remote Desktop, interacts with your user session directly which is why you can log in with Remote Desktop even when the computer appears locked to a physical person sitting there.

If you lock your PC, most forms of remote control become more inconvenient for the attacker but you're certainly not completely safe. Teamviewer may still transfer files as Martin Fürholz mentioned. If you want to be certain nobody can use your machine while you're not sitting in front of it, your best bet is to disconnect the computer from the network, hibernate or shut down. On sleep, you should be safe but it depends on your settings. Some programs can wake up the computer and exit sleep, but your computer should disconnect from the network so you avoid the Teamviewer-style attack. You can configure Windows to stay connected to the network while on sleep, and in this case sleep doesn't protect against remote control attacks.

Since in your case you didn't have TeamViewer installed, you should probably be quite concerned about possible malware because if the attacker had the necessary privileges to install Teamviewer, they may have done more than just Paypal. Resetting the PC (ideally with fresh install media) is the best solution there.

Paolo Celati
  • 81
  • 7