TeamViewer Trust Center
Your single source for the latest security, compliance, and system performance information.
Data Centers and Backbone
All TeamViewer servers are housed in state-of-the-art data centers that are compliant with ISO 27001 and leverage multi-redundant carrier connections and redundant power supplies. These include RAID array data protection, data mirroring, data backup, highly available server storage, and router systems with disaster recovery mechanisms, and procedures in place to deliver continuous service. Additionally, all servers that store sensitive data are located in Germany or Austria.
The data centers have implemented state-of-the-art security controls, which means that personal access control, video camera surveillance, motion detectors, 24×7 monitoring, and on-site security personnel ensure access to the data center is only granted to authorized persons and guarantee the best possible security for hardware and data. There is also a detailed identification check at the single point-of-entry to the data center.
As an additional security feature, all of our software is signed via DigiCert Code Signing. In this manner, the publisher of the software is always readily identifiable. If the software has been changed afterwards, the digital signature automatically becomes invalid.
CREATING A SESSION AND TYPES OF CONNECTIONS
When establishing a session, TeamViewer determines the optimal type of connection. After the handshake through our master servers, a direct connection via UDP or TCP is established in 70% of all cases (even behind standard gateways, NATs and firewalls). The rest of the connections are routed through our highly redundant router network via TCP or https tunneling.
You do not have to open any ports in order to work with TeamViewer.
ENCRYPTION AND AUTHENTICATION
TeamViewer traffic is secured using RSA public/private key exchange and AES (256-bit) session encryption. This technology is used in a comparable form for https/SSL and is considered completely safe by today’s standards.
As the private key never leaves the client computer, this procedure ensures that interconnected computers—including the TeamViewer routing servers—cannot decipher the data stream. Not even TeamViewer, as the operators of the routing servers, can read the encrypted data traffic.
All Management Console data transfer is through a secure channel using TLS (Transport Layer Security) encryption, the standard for secure Internet network connections. For authorization and password encryption, Secure Remote Password protocol (SRP), an augmented password-authenticated key agreement (PAKE) protocol, is used. An infiltrator or man-in-the-middle cannot obtain enough information to be able to brute-force guess a password. This means that strong security can even be obtained using weak passwords. However, TeamViewer still recommends adhering to industry best practices for password creation to ensure the highest levels of security.
Each TeamViewer client has already implemented the public key of the master cluster and can thus encrypt messages to the master cluster and check messages signed by it. The PKI (Public Key Infrastructure) effectively prevents “man-in-the-middle-attacks” (MITM). Despite the encryption, the password is never sent directly, but only through a challenge-response procedure, and is only saved on the local computer. During authentication, the password is never transferred directly because the Secure Remote Password (SRP) protocol is used. Only a password verifier is stored on the local computer.
Validation of TeamViewer IDs
TeamViewer IDs are based on various hardware and software characteristics and are automatically generated by TeamViewer. The TeamViewer servers check the validity of these IDs before every connection.
Prospective customers who inquire about the security of TeamViewer regularly ask about encryption. Understandably, the risk that a third party could monitor the connection or that the TeamViewer access data is being tapped is feared most. However, the reality is that rather primitive attacks are often the most dangerous ones.
In the context of computer security, a brute-force attack is a trial-and-error-method to guess a password that is protecting a resource. With the growing computing power of standard computers, the time needed for guessing long passwords has been increasingly reduced.
As a defense against brute-force attacks, TeamViewer exponentially increases the latency between connection attempts. It thus takes as many as 17 hours for 24 attempts. The latency is only reset after successfully entering the correct password.
TeamViewer not only has a mechanism in place to protect its customers from attacks from one specific computer but also from multiple computers, known as botnet attacks, that are trying to access one particular TeamViewer-ID.
TCP/UDP PORT 5938
TeamViewer prefers to make outbound TCP and UDP connections over port 5938 – this is the primary port it uses, and TeamViewer performs best using this port. Your firewall should allow this at a minimum.
TCP PORT 443
If TeamViewer can’t connect over port 5938, it will next try to connect over TCP port 443.
However, our mobile apps running on Android, iOS, Windows Mobile, and BlackBerry don’t use port 443.
Note: port 443 is also used by our custom modules which are created in the Management Console. If you’re deploying a custom module, eg. through Group Policy, then you need to ensure that port 443 is open on the computers to which you’re deploying. Port 443 is also used for a few other things, including TeamViewer update checks.
TCP PORT 80
If TeamViewer can’t connect over port 5938 or 443, then it will try on TCP port 80. The connection speed over this port is slower and less reliable than ports 5938 or 443, due to the additional overhead it uses, and there is no automatic reconnection if the connection is temporarily lost. For this reason, port 80 is only used as a last resort.
Our mobile apps running on Android, Windows Mobile, and BlackBerry don’t use port 80. However, our iOS apps can use port 80 if necessary.
Android, Windows Mobile, and BlackBerry
Our mobile apps running on Android, Windows Mobile, and BlackBerry can only connect out over port 5938. If the TeamViewer app on your mobile device won’t connect and tells you to “check your internet connection”, it’s probably because this port is being blocked by your mobile data provider or your WiFi router/firewall.
Destination IP Addresses
The TeamViewer software will connect you to your partner via the most suitable router. The location of the router depends on many parameters, mainly on availability and performance. Our master server infrastructure is located in Germany. These servers use a number of different IP address ranges, which are also frequently changing. As such, we are unable to provide a list of our server IPs. However, all of our IP addresses have PTR records that resolve to *.teamviewer.com. You can use this to restrict the destination IP addresses that you allow through your firewall or proxy server.
Having said that, from a security point-of-view this should not really be necessary – TeamViewer only ever initiates outgoing data connections through a firewall, so it is sufficient to simply block all incoming connections on your firewall and only allow outgoing connections over port 5938, regardless of the destination IP address.