Community
[ Closed ] [Resolved] Question about MSI installer\address book sync
Links used in this discussion
That PC was not part of our organization. This is bad, very bad. You have to check and address this issue ASAP!
Please anyone using the custom installer with paid license be aware of this problem.
If I got an unknow PC in my address book, the same could happen for us, that our computers may appear in other customer's address book and they will be able to access our PCs
Since you decided to also post in the forum in addition to your support ticket, I'm copying my response to your ticket below:
Thank you for your message.
First, let me assure you that this is in no way a security breach as you might think. Please, see my explanation further below. I'd also like to note that Remote Utilities has been used by hundreds of thousands of companies throughout the world which certainly wouldn't be possible if there were such vulnerabilities. Among these customers are medical institutions, military organizations and government agencies (such as courts and law enforcement agencies).
With regards to your issue, I can guess that you used the Remote Utilities feature that allows you to automatically add remote computers to your address book and gain access to them once they run and install your custom-built Host package. There are several points to make here:
1. Remote Utilities connection is only possible "one way", i.e. Viewer connects to Host, not vice versa. Host cannot "connect" to Viewer. These two are totally different modules each for its own task. No one can "connect backwards" to your Viewer just because they installed the Host on their computer, even if this Host is your custom-built Host. It doesn't work that way.
2. The fact that someone can install your custom-built Host on their computer does NOT automatically mean that any Viewer other than yourself can get access to that computer. The custom-built installer was created by yourself and only you have access to the Host instances installed from it.
Even then you can always turn on the "Ask user permission" feature on the Host (you can also enable it during Host configuration) and ensure that the remote user has a choice whether to accept or reject the incoming connection https://www.remoteutilities.com/support/docs/ask-user-permission/
3. Finally, and this can be applied to just any remote access software around, not only to Remote Utilities - if you set up access to a remote PC and the remote user accepts that (either by installing the agent file or sharing a web link like with some of our competitors' products) this means that you have full access to their PC.
And this is exactly how remote control software is supposed to work - to give the authorized user access to a remote computer. It's just a tool that works the way it is set up. And there are many built-in features to increase security, the "Ask user permission" and "2-factor authentication" among them.
Let me repeat the fact - if your custom built Host is installed somewhere (which resulted in the Host appearing in your address book, this poses NO threat whatsoever. Neither for your Viewer PC nor for your network. Because of the one-way nature of RU connection.
Please, let us know how this is supposed to happen if that "other customer" doesn't know your Host access credentials or access credentials (along with address and port) of your RU Server? From where will they get this information?If I got an unknow PC in my address book, the same could happen for us, that our computers may appear in other customer's address book and they will be able to access our PCs
Remote Utilities doesn't employ an online "customer database". It's stand-alone software. There is no "central" database on the web unlike many of our competitors. In fact this is a big advantage of Remote Utilities vs. its "SaaS" competitors - there's simply nothing to "hack" and steal. One can only get access to someone else's Host if they know access credentials for that specific Host.
The record in your address book appeared because:
1. You set up a custom Host installer to make it automatically send its access credentials to your RU Server address book upon installation.
2. Someone whom you do not recognize got possession of your Host package and installed it on their computer. So the host reported itself to your RU Server and was added to your Viewer address book (via the RU Server address book sync feature).
For the same to happen in your own network someone needs to either inject a custom-built Hosts to your network computers or get access to your existing Hosts somehow (for this they should know access credentials) .
Thank you.
That's preceisely whats happening.Conrad Sallian wrote:
Also, about this:Please, let us know how this is supposed to happen if that "other customer" doesn't know your Host access credentials or access credentials (along with address and port) of your RU Server? From where will they get this information?If I got an unknow PC in my address book, the same could happen for us, that our computers may appear in other customer's address book and they will be able to access our PCs
Remote Utilities doesn't employ an online "customer database". It's stand-alone software. There is no "central" database on the web unlike many of our competitors. In fact this is a big advantage of Remote Utilities vs. its "SaaS" competitors - there's simply nothing to "hack" and steal. One can only get access to someone else's Host if they know access credentials for that specific Host.
The record in your address book appeared because:
1. You set up a custom Host installer to make it automatically send its access credentials to your RU Server address book upon installation.
2. Someone whom you do not recognize got possession of your Host package and installed it on their computer. So the host reported itself to your RU Server and was added to your Viewer address book (via the RU Server address book sync feature).
For the same to happen in your own network someone needs to either inject a custom-built Hosts to your network computers or get access to your existing Hosts somehow (for this they should know access credentials) .
Somehow a file that I just created was used by somebody somewere else.
The only way that could have happened is that after the file was sent to your servers for certification, it was sent by mistake to another person. And of course that person did not know what file was using.
Then that PC appeared in my address book and I got control of that PC.
This is definitely something that could not happen, if that was the case we would at least had the other user reporting a similar issue at the same time. Please note that we'd already responded to your duplicated tickets and suggested some options for troubleshooting - for example, Legacy configurator creates an installation file with no access to the Internet.
Hope that helps.
* Website time zone: America/New_York (UTC -5)