Knowledge Base

Introduction

This technical security document is for IT professionals, network administrators and security departments who want an overview of TeamViewer security standards and protocols. Please feel free to share this document with your customers and colleagues to address their security questions.

TeamViewer: The Company and Software

About TeamViewer

TeamViewer is a leading global technology company that provides a connectivity platform to remotely access, control, manage, monitor, and repair devices of any kind – from laptops and mobile phones to industrial machines and robots. Although TeamViewer is free of charge for private use, it has around 630,000 subscribers and enables companies of all sizes and from all industries to digitalize their business-critical processes through seamless connectivity. Against the backdrop of global megatrends like device proliferation, automation and new work, TeamViewer proactively shapes digital transformation and continuously innovates in the fields of Augmented Reality, Internet of Things and Artificial Intelligence. Since the company’s foundation in 2005, TeamViewer’s software has been installed on more than 2.5 billion devices around the world. The company is headquartered in Goppingen, Germany, and employs more than 1,400 people globally.

Fundamentals of TeamViewer Security

Our customers provide spontaneous support over the internet, accessing unattended computers (e.g. providing remote support for servers) and host online meetings. Depending on the configuration, TeamViewer can be used to remotely control the mouse and keyboard of another computer in real time, as though you were accessing it in person. If a Windows, Mac, or Linux administrator logs in to a remote computer, that person will be granted administrator rights to that computer as well. Clearly, using this powerful functionality over the internet must be protected with stringent security protocols. As such, we put security at the center of everything we do by engineering our software by security by design. Our goal is to ensure access to computers is safe. Your security is our highest priority: users only trust secure solutions and we’re fully committed to providing secure solutions to sustain long-term business success.

Quality Management

Security management is inconceivable without an established quality management system. TeamViewer GmbH is a leading global vendor in the market with an ISO 9001 certified quality management system (QMS). Our quality management follows internationally recognized standards and is reviewed by external audits on an annual basis.

Information Security

TeamViewer deploys industry leading cyber security resources both internally and externally. Absolutely no expenses are spared as we are fully dedicated to ensuring the best possible protection of our IT infrastructure. Our 24/7 Security Operations Center (SOC) monitors TeamViewer’s system landscape in real-time. A Computer Security Incident Response Team (CSIRT) is poised to respond to any threat. TeamViewer annually conducts external audits against various compliance frameworks, such as ISO 27001, HIPPA Hi-Tech, SOC2 Type2/SOC3, TISAX, and ISO 9001.

Data Centers and Backbone

To provide the best possible security and availability of TeamViewer services, all TeamViewer servers are located in data centers which are compliant with ISO 27001, leveraging multi-redundant carrier connections and redundant power supplies. Furthermore, only industry-grade hardware is used and all servers that store sensitive data are located in Germany or Austria. Being ISO 27001-certified means that personal access control, video camera surveillance, motion detectors, 24/7 monitoring, and on-site security personnel ensure access to the data center is only granted to authorized persons, guaranteeing the best possible hardware and data security. There is also a detailed identification check at the single point-of-entry of the data centers. Additionally, TeamViewer’s Information Security Management System (ISMS) itself is ISO27001 certified.

References

Leading global enterprises across industries — such as financial services, healthcare, government, and other sectors with highly sensitive data — leverage TeamViewer for secure remote access and support, customer engagement, IoT, and industrial augmented reality solutions. To see how your peers have used TeamViewer in their organizations, explore our customer success stories, available on our website at teamviewer.com/en/success-stories/.

Software Development

Secure Software Development Lifecycle (S-SDLC) TeamViewer follows a strict Secure Software Development Life Cycle (S-SDLC) throughout all phases of our products’ lifecycle which also includes a hardened and audited software development pipeline. Most importantly. we perform design, architecture and implementation reviews including attack surface analysis and threat modeling where identified risks are being prioritized and product security requirements are derived from. We also enforce code reviews, unit and integration tests and all code changes require code owners’ approval.

Security Testing / SAST / DAST / SCA

We apply static and dynamic application security testing (SAST/DAST) and take care of our software’s dependencies by using software composition analysis (SCA). There is also a significant and segmented automation environment that is used to ensure our quality assurance can also be handled programmatically and in an automated fashion.

Security Penetration Testing

Both TeamViewer infrastructure and the TeamViewer software are subject to penetration testing. TeamViewer conducts multiple external white and black/grey box tests of all products annually. The tests are performed by independent companies, specialized in testing. TeamViewer has partnered with multiple class leading testing firms, such as Black Hills Information Security, Blaze, Recurity, Securitum, and XMCO.

Code Signing

All of our software is signed via DigiCert Code Signing. Consequently, the publisher of the software is always readily identifiable. If the software has been changed afterward, the digital signature automatically becomes invalid. Code Signing allows for endpoint security tools to actively validate if the software is genuine and our software uses this as a selfcheck mechanism to validate only genuine copies can run, if this check fails the software will exit. This allows for programmatic protection and alerting for our customers. Build in antitampering, the software itself does have the ability to self-check on start the certificate and signature validity of all its components and it fails to run if inconsistencies are found.

Vulnerability Disclosure Program

Every customer, user, researcher, partner and any other person that interacts with TeamViewer’s products and services is encouraged to report identified vulnerabilities and errors they identify in our products and services. vdp.teamviewer.com/p/Send-a-report

Certified Numbering Authority (CNA)

TeamViewer is a CNA for Common Vulnerabilities and Exposures (CVE) issuances against all TeamViewer products. This is a key measure of accurate risk assessment of all CVE’s that may be issued against TeamViewer products. TeamViewer works diligently to partner with researchers and organizations to correctly report and disclose issues as a CNA. TeamViewer demonstrates mature vendor vulnerability management practices, and this highlights our commitment to cybersecurity to all our customers.

Product Security Features

Remote Connections and Sessions

When establishing a remote session, TeamViewer determines the optimal connection type. After the handshake via our master servers, a direct connection via User Datagram Protocol (UDP) or Transmission Control Protocol (TCP) is established in 70 percent of all cases—even behind standard gateways, NATs, and firewalls. The rest of the connections are routed through our highly redundant router network via TCP or HTTP-tunneling. That means you don’t have to open any ports in order to use TeamViewer. As described later in the “Legacy Connections” section, not even TeamViewer — as the operator of the routing servers — can read the encrypted traffic.

Modern TLS 1.3 mutually authenticated session handshake

Starting with TeamViewer version 15.73 and later, session authentication and attestation use mutually authenticated TLS 1.3. This protocol provides Perfect Forward Secrecy (PFS) through modern Diffie-Hellman key exchange mechanisms. After the secure handshake is completed, session data remains protected using AES‑256‑GCM encryption.

During connection establishment, both communicating clients verify each other’s identity using certificates issued by the TeamViewer master cluster. This process ensures that endpoints authenticate the TeamViewer infrastructure before any sensitive data is exchanged.

Private keys never leave the client device. As a result, neither TeamViewer routing servers nor any intermediary systems can decrypt the end‑to‑end encrypted session traffic.

Remote session traffic between endpoints is protected using end‑to‑end encryption, ensuring that only the communicating devices can decrypt the transmitted data.

Legacy Connections

TeamViewer sessions are secured using RSA 4096 public/private key exchange and AES 256-bit encryption. This technology is used in a comparable form for HTTPS/TLS and is considered completely safe by today’s standards. As the private key never leaves the client computer, this ensures that the interconnected computers, including the TeamViewer routing servers, cannot decipher the data stream. The most recent versions also support perfect forward secrecy on key agreements. Each TeamViewer client has a certificate of the master cluster, enabling it to verify certificates of the TeamViewer system. These certificates are used in handshakes between participants in the TeamViewer network. See Figure 1 for a simplified overview of the handshake key exchange.