TeamSpeak 3 Security Awareness

[Harrasan]

Ok... so let me see if I got this straight...

You're trying to tell us that TeamSpeak is super insecure because it's relying on Qt - an open-source cross-platform application framework - which is used by thousands of companies all around the world. Even if we assume that the TeamSpeak developers are not the brightest bulbs in the chandelier (which I think is true), Qt has a great documentation and a huge community behind it. Sure... you have to use Qt's stuff correctly, but since none of us has access to the TeamSpeak codebase... we simply don't know what they're doing. Which brings me to another one of your arguments... proprietary software.

Yes, TeamSpeak is proprietary software... such as every damn game you're playing and probably 90% of the software you're using. If you don't trust the company making a product... don't use it! It's as simple as that. Oh... and also... don't run every software with admin privileges! In your video, I see you're using Windows and I heard an iPhone ring in the background. I assume you also have a GMail account... Do I need to say more? In addition, you're recommending VMware Workstation which is... guess what... proprietary software. You've got to be kidding us.

Which brings me to another topic... that virtualization thingy. TeamSpeak is software widely used in gaming communities. Are you seriously expecting gamers to run a full-blown virtual machine that eats up your hardware resources and also adds a ton of delay to TeamSpeak's audio transmissions? I don't think so.

Sorry, but I found the announcement email you sent to your users to be very offending... and while I'm not a security expert, your posting reads like you have no idea what you're talking about or you're from another planet.

 

[Jackbox]

Sorry, but I found the announcement email you sent to your users to be very offending... and while I'm not a security expert, your posting reads like you have no idea what you're talking about or you're from another planet

Perhaps I was not clear about about my specific reasoning, but take a peek over here: https://www.gartner.com/smarterwithgartner/gartner-top-technologies-for-security-in-2017/

Microsegmentation

Microsegmentation means implementing isolation and segmentation for security purposes in the virtual data center. This can stop attackers who are already in the system from moving laterally to other systems.

TeamSpeak 3 has had RCE (remote code execution) affecting users in the recent past. Go ahead and run TeamSpeak 3 however you want. I have done my best to run it within a Linux VM for a long while now after finding the arbitrary code execution with the R4P3 team. Keep in mind that when I say recent past, I am counting within the past ~2 years because since then I am unaware of any (internal) proper security audit on their software. Too, from the sounds of it --- security was not a primary concern to their CEOs even after we disclosed the RCE and flooded their emails with security notices for them to fix it.

R4P3 actually uses Zoho for email accounts which is public intel via DNS: https://www.zoho.com/security.html

Perhaps you think I am from another world because rather than dedicating my life to gaming for countless hours, I focus on security research and both work in cybersecurity, and attend college for a cybersecurity degree. Do what makes you happy, sir. I'm not going to discount all mobile devices because of "security risks" but at least my phone doesn't explode and burn houses down.

Being realistic, both iOS and Android devices alike have suffered from security issues. The latency experienced from virtualizing your software should be minimal. Please provide reasoning to me how the slight latency is significant enough to risk the security of your entire fucking computer system. We are not talking seconds of delay. But we are talking about microsegmentation of TeamSpeak 3 for security or sending/receiving audio slightly faster to possibly get your system compromised by a malicious individual. With the rise of ransomware activity, I would not be surprised if attackers begin targeting largely networked systems e.g. TeamSpeak 3. If ransomworms show up regularly, which I am predicting along with many other security researchers to be in our near future --- I would run TeamSpeak 3 no other way than in a VM. Unless TeamSpeak 3 carries out an internal security audit on their application, you have no clue what is under the hood and praying is not practical here.

I realize that not everyone has 16 GB of RAM, but most should have at the very least 8 GB.. and if you scale your system appropriately, there should be little issues. Please let me know how you "securely" run TeamSpeak 3 other than just biting the bullet of risk/trust. There is a strong history of TeamSpeak 3 being riddled with security issues and your idea is to just trust them now? Smart(!)

Rather than the VMware "virtualization thingy", I opted to demonstrate using Oracle VirtualBox as their solution is open source. I personally run VMware because while their solution is proprietary, VMware is used in enterprise/corporate environments and is fairly trusted by large businesses. In fact, VMware publishes security hardening guides over here: https://www.vmware.com/security/hardening-guides.html

 

[Harrasan]

Well... in fact the TeamSpeak Client never had an exploit involving RCE. What you could do is having people download malicious files to their autorun start menu directory due to a directory traversal bug in TeamSpeak's caching system... so it's more a RFI issue rather than RCE. While this was a very very stupid mistake by the TeamSpeak developers, it looks like they've released a fix pretty damn fast (exploit was published on Oct 22th 2015 and the fix one day later on Oct 23rd 2015). Also, it was limited to Windows platforms as nearly of of the issues found by R4P3. I don't get why you blame the Qt framework for this.

The problem is that most people have no idea how a computer works. They boot Windows, surf the web and play some games. They run their apps as admin just because it's easier and the UAC dialog is disturbing. I know what you're trying to do here... but do you really think having people setup a Linux VM on their Windows PC will do any good if they have no idea what's happening under the hood?

What about issues like Heartbleed... or EternalBlue? Bugs like this affect millions of users and were out in the wild for more than a decade. Did you stop using Windows because of it? You're blaming the TeamSpeak developers for one critical bug from two years ago and they fixed it fast. Again... I see your point... I just think you're overreacting.

Please let me know how you "securely" run TeamSpeak 3.

I'm not using Windows... Thank's for asking.

... and your idea is to just trust them now? Smart(!)

No, it's not. The idea is that you stop using TeamSpeak and find a better voice communication software... or even better...build a new one. For me, there's no alternative to TeamSpeak if I want to run my own server and keep all the features I love about their product.

 

[Jackbox]

I'm not using Windows... Thank's for asking.

Most people are, sorry but you represent a split fraction of the gaming userbase (and I would say most people definitely run TS3 on Windows). My concern is the safety of people mainly running TS3 on Windows.

Well... in fact the TeamSpeak Client never had an exploit involving RCE.

1. Piss poor file type checking, .bat was okay as an image file extension so long as there was an artificial image header contained. Bat would ignore the artificial image header, then continue to execute code.
2. The caching could be controlled via directory traversal, which permitted RFI to the user's startup dir.
3. The next time the user logs in from not being logged in, the RFI would be executed hence the RCE.

It has been debated whether or not this is technically RCE, but the proof is in the pudding. Could a malicious individual utilize TeamSpeak 3 to have a binary execute on your machine? Answer that yourself.

It is really a bunch of security issues at play, together. It is a good demonstration of how Linux is more securely designed (in my opinion).

Since you are apparently not on Windows, I would say your risk is fairly less. I still recommend running TeamSpeak 3 virtualized in some way or at least sandboxed.

For other issues, check here: https://r4p3.net/resources/exploit-overview.84/

 

[Harrasan]

Most people are, sorry but you represent a split fraction of the gaming userbase. My concern is the safety of people mainly running TS3 on Windows.

I get it... I still think that sending out emails starting with "TeamSpeak 3 and <USERNAME> are friends? Nope." is pretty rude.

 

[Jackbox]

is pretty rude.

Well, there is largely a gap in cybersecurity knowledge as demonstrated here: https://www.educationdive.com/news/higher-ed-stepping-in-to-fill-cybersecurity-gaps/443370/

While I agree it may seem offensive or rude, I assure the gesture is strictly for security and awareness. Sure, sharing intelligence can sometimes come off as sounding rude. I promise we do not think TeamSpeak 3 nor their team nor company is stupid --- we just think after X# of critical security issues, perhaps an application security audit is due. They serve ~1,000,000 users, shouldn't they protect them/us?

TeamSpeak 3 needs to realize the importance of security and they will NOT unless people speak up. I am encouraging people to do that for national cybersecurity awareness month (although now it is over).

P.S. Don't shave

https://imgur.com/JYSUA5X.png

 

[dedmen]

While this was a very very stupid mistake by the TeamSpeak developers, it looks like they've released a fix pretty damn fast (exploit was published on Oct 22th 2015 and the fix one day later on Oct 23rd 2015). .

Well.. We found the Exploit on September 13th. Reported it to them and they fixed it on Oct 11th. about 6 hours later we found that they only half fixed it and that it was still working. So we told them again. And they fixed it "completly" on Oct 23rd.
The "public" release of an exploit usually only happens a month after we let Teamspeak know about it so they have time to fix it. They usually don't fix it in time.