security statement.

md 11/20/2020

Target Group
This document is aimed at professional network administrators. The information in this document is of a
rather technical nature. Based on this information, IT professionals will receive picture of the security
standards at TeamViewer, and will have any concerns resolved before deploying our software. Please feel free
to distribute this document to your customers in order to alleviate any possible security concerns.

If you do not consider yourself to be part of the target group,the soft facts in the section "The Company / the
Software" will still help you get a clear picture of how we take security seriously.

The Company / the Software

About us
TeamViewer GmbH was founded in 2005 and is based in southernGermany, in the city of Göppingen (near
Stuttgart),with subsidiaries in Australia and the United States. We exclusively develop and sell secure systems
for web-based collaboration. Within a short span of time, our Freemium licensing has led to rapid growth,
with more than 200 million users of the TeamViewer software on more than 1.4 billion devices, in more than
200 countries around the globe. The software is available in more than 30 languages.

Our Understanding of Security

TeamViewer is used by more than 30 million users at any given point any day. These users are providing
spontaneous support over the internet, accessing unattended computers (e.g. remote support for servers)and
are hosting online meetings. Depending on the configuration, TeamViewer can be used to remotely control
another computer, as if one were sitting right in front of it. If the user who is logged on to a remote computer
is a Windows, Mac or Linux administrator, this person will be granted administrator rights on that computer as
well.It is clear that such powerful functionality over the potentially unsafe internet has to be protected against
attacks with great scrutiny. In fact, the topic of security dominates all of our development goals, and is
something we live and breathe in everything we do. We want to ensure access to your computer is safe and to
protect our own interests: millions of users worldwide only trust a secure solution, and only a secure solution
assures our long-term success as a business.

Quality Management
From our understanding, security management is unthinkable without an established quality management
system. TeamViewer GmbH is one of the few providers on the market that practices certified quality
management in accordance with ISO 9001. Our quality management follows internationally recognized
standards. We have our QM system reviewed by external audits on an annual basis.

External Expert Assessment

Our software,TeamViewer,has been awarded a five-star quality seal (maximum value) by the Federal
Association of IT Experts and Reviewers (Bundesverband der IT-Sachverständigen und Gutachter e.V., BISG
e.V.). The independent reviewers of the BISG e.V. inspect products of qualified producers for their quality,
security and service characteristics.

1/6
security statement.md 11/20/2020

References
Currently,TeamViewer is used by more than 200million users. International top corporations from all kinds of
industries (including such highly sensitive sectors as banking, finance,healthcare and government)are
successfully using TeamViewer.

We invite you to have a look at our references all over the internet, in order to gain a first impression of the
acceptance of our solution. You’ll find that presumably most other companies had similar security and
availability requirements before they -after an intensive examination - finally decided on TeamViewer. To form
your own impression though, please find some technical details in the rest of this document.

TeamViewerSessions
Creating a Session and Types of Connections
When establishing a session, TeamViewer determines the optimal type of connection. After the handshake
through our master servers,a direct connection via UDPor TCP is established in 70% of all cases(even behind
standard gateways, NATs and firewalls). The rest of the connections are routed through our highly redundant
router network via TCP or http-tunnelling. You do not have to open any ports in order to work with
TeamViewer! As later described in the paragraph "Secure Connections", not even we, as the operators of the
routing servers, can read the encrypted data traffic.

Secure Connections
TeamViewer Traffic is secured using RSA public/private key exchange and AES (256 bit) session encryption.
This technology is used in a comparable form for https/TLS and is considered completely safe by today's
standards. As the private key never leaves the client computer, this procedure ensures that interconnected
computers, including the TeamViewer routing servers, cannot decipher the data stream.

Each TeamViewer client has Certificate of the master cluster and can thus verify certificates of the TeamViewer
system. These certificates are used to in a handshake between Participants of the TeamViewer network.

A simplified overview of this handshake can be seen in the following diagram.

2/6
security statement.md 11/20/2020

Client Server

[client cert, client nonce, Revocation check, signature]

encrypt_PKClient([server cert, server nonce, revocation check, signature])

encrypt_PKServer([pre master secret, signature])

SessionKey derived from Nonces and PreMasterSecret

encrypt_SessionKey([switch])

Client Server

The session key derived from this handshake is afterwards used to encrypt the communication between
parties using AES.

Password authentication
During TeamViewer's password authentication, no password equivalent data is shared because the Secure
Remote Password (SRP) protocol version 6 is used. Only a password verifier is stored on the local computer.
For more details check the section "TeamViewer Account"

Validation of TeamViewer IDs

TeamViewer IDs are based on various hardware and software characteristics and are automatically generated
by TeamViewer. The TeamViewer servers check the validity of these IDs.

Brute-Force Protection
Prospective customers who inquire about the security of TeamViewer regularly ask about encryption.
Understandably,the risk that a third party could monitor the connection or that the TeamViewer access data is
being tapped is feared most. However, the reality is that rather primitive attacks are often the most dangerous
ones.

In the context of computer security, a brute-force attack is a trial-and-error-method to guess a password that
is protecting a resource. With the growing computing power of standard computers,the time needed for
guessing long passwords has been increasingly reduced.

3/6
security statement.md 11/20/2020

As a defense against brute-force attacks, TeamViewer exponentially increases the latency between connection
attempts. It thus takes as many as 17 hours for 24 attempts. The latency is only reset after successfully
entering the correct password.

TeamViewer not only has a mechanism in place to protect its customers from attacks from one specific
computer but also from attackers controlling a large number of computers trying to access a specific target
computer, e.g. using a botnet.

Code Signing
As an additional security feature,all of our software is signed via VeriSign Code Signing. In this manner,the
publisher of the software is always readily identifiable. If the software has been changed afterwards, the digital
signature automatically becomes invalid.

Datacenter & Backbone

To provide the best possible security and availability of the TeamViewer services, all TeamViewer servers are
located in data centers which are compliant with ISO 27001, leverage multi-redundant carrier connections and
redundant power supplies. Furthermore, only state-of-the-art hardware is used. Additionally, all servers that
store sensitive data are located within Germany or Austria.

Being ISO27001-certified mean that personal access control, video camera surveillance, motion detectors,
24x7 monitoring and on-site security personnel ensure access to the data center is only granted to authorized
persons and guarantee the best possible security for hardware and data.There is also a detailed identification
check at the single point-of-entry to the data center.

TeamViewer Account
TeamViewer accounts are hosted on dedicated TeamViewer servers. For information on access control, please
refer to Datacenter & Backbone above. For authorization and the Secure Remote Password protocol (SRP)
version 6 is used. This protocol combines the advantages of conventional ways of password storage. We do
not store any information on our servers that could be used by an attacker to authenticate as the given
account. In addition password is never sent to our servers during the authentication. Instead a proof is used
that is only valid for the single authentication run and can't be reused afterwards.

Data stored in the account, e.g. passwords, keys, chat logs, etc. are encrypted using a combination of RSA and
AES, where the root key for the encryption is derived from the users password. This ensures that an attacker
without the password can not access the data stored in the account.

Management Console
The TeamViewer Management Console is a web-based platform for user management, connection reporting
and managing Computers & Contacts. It is hosted in ISO-27001 certified, HIPAA compliant data centers. All
data transfer is through a secure channel using TSL(Transport SecurityLayer) encryption, the standard for

4/6
security statement.md 11/20/2020

secureInternet network connections. Sensitive data is furthermore stored AES/RSA 2048bit encrypted. It uses
the same encryption and authentication mechanisms described for the TeamViewer Account.

Policy-Based Settings
From within the TeamViewer Management Console, users are able to define, distribute, and enforce setting
policies for the TeamViewer software installations on devices that belong specifically to them. Setting policies
are digitally signed by the account that generates them. This ensures that the only account permitted to
assign a policy to a device is the account to which the device belongs.

Application Security in TeamViewer

Black-& Whitelist
Especially when TeamViewer is used for unattended maintenance of computer(i.e. nobody is in front of the
computer), the Whitelist allows to tighten security. Using this option the number of people who can get
access to the machine is limited and even if e.g. the password is stolen an attacker can't get access to the
Device. The restrictions can either be done to allow only specific TeamViewer ID's or TeamViewer accounts to
access the computer remotely. Whitelists can be managed using the Policies described in the Management
Console section.

Chat
Chat messages and their history are end-to-end encrypted and stored in the TeamViewer account using
RSA/AES as described in the chapter "TeamViewer Account". Only participants in a chatroom or 1:1 chat can
access the messages and history.

No Stealth Mode
There is no function that enables you to have TeamViewer running completely in the background. Even if the
application is running as a Windows service in the background, TeamViewer is always visible by means of an
icon in the system tray. After establishing a connection there is always a small control panel visible above the
system tray. Therefore, TeamViewer is intentionally unsuitable for covertly monitoring computers or
employees. This allows users to make sure that no sensitive data is shown on their screen during a
TeamViewer session.

Password Protection
For spontaneous customer support, TeamViewer (TeamViewer QuickSupport) generates a random password
that can be changed at any time. If your customer tells you their password, you can connect to their computer
by entering their ID and password. Depending on the settings, a new Password will be generated on the
customers computer either after a restart of TeamViewer, after the session, or when manually requested.

When deploying TeamViewer for unattended remote support (e.g. of servers), you can set an individual, fixed
password and disable the random password.

All passwords are verified using the same SRP protocol described in the "TeamViewer Account" section

5/6
security statement.md 11/20/2020

Incoming and Outgoing Access Control

You can individually configure the connection modes of TeamViewer. For instance, you can configure your
remote support or meeting computer in a way that no incoming connections are possible.

Limiting functionality to those features actually needed always means limiting possible weak points for
potential attacks.

Two Factor Authentication

TeamViewer assists companies with their HIPAA and PCI compliance requirements. Two-factor authentication
adds an additional security layer to protect TeamViewer accounts from unauthorized access.

In addition to both username and password, the user must enter a code in order to authenticate. This code is
generated via the time-based one-time password (TOTP) algorithm. Therefore,the code is only valid for a short
period of time.

Through two-factor authentication and limiting access by means of whitelisting, TeamViewer assists in
meeting all necessary criteria for HIPAA and PCI certification.

Security Testing
Both TeamViewer infrastructure and the TeamViewer Software is subject to penetration tests on a regular
basis. The tests are performed by independent companies, specialized in security testing.

Further Questions?
For further questions or information, feel free to contact us at (US) +1 (800) 951 4573 and (UK) +44 (0) 2080
997 265 or send an email to support@teamviewer.com.

Contact
TeamViewer Germany GmbH
Bahnhofsplatz 2
D-73033 Göppingen
Germany
service@teamviewer.com

6/6