- Apr 25, 2015
- 1,845
- 2
- 2,199
- 327
Tutorial for running your TeamSpeak 3 client virtually:
Any questions? Comment on the video or reply to this thread!
Hello to our lovely community!
Since October is the perfect time to publish security awareness information (October is National Cyber Security Awareness Month which is an annual campaign to raise awareness about the importance of cybersecurity).
I figured I would take a moment to provide security ideas for using TeamSpeak 3 safely with reasoning on why you should.
Because the Qt framework is inherently insecure by making production fast and cross-platform (security and speed can come together but only if done properly and this places almost all responsibility on secure development to the developers of TeamSpeak 3 which is a team of a few guys, as far as I know (I may be wrong) not a single security engineer nor employee), there is no way to safely run Qt applications which are proprietary on a host machine. This means if you run TeamSpeak 3 in the same environment you use LastPass, access bank accounts, check your emails, and various other confidential actions --- you are unsafe every time you connect to a TeamSpeak 3 server publicly facing the Internet.
To give you some insight as to how slow-moving the Qt framework is regarding security, HSTS was developed for enforcing HTTPS connections around the year 2012. The year is 2017 and HSTS support has just arrived to Qt developers as shown here: https://en.wikipedia.org/wiki/Qt_version_history 5.9 and TS3 is still on 5.6. You can see Mozilla's support for it back in 2012: https://support.mozilla.org/en-US/questions/942924
Why the fuck are you still running TeamSpeak 3 outside of virtualization? There is no reason to take this unnecessary risk. This is like putting your dick in a homeless person's bum; no protection.
In the very end of all this, there are two people responsible for the security of TeamSpeak 3. That is yourself and TeamSpeak 3 developers or the company itself. From the interview R4P3's security team had with TeamSpeak's two CEOs, we understand that security is not at the top of their list of things to do. Instead, the response to us was more about quieting our community and ultimately leading to a shutdown of our research on the security of TS3.
Your responsibility to securely run TeamSpeak 3: Install virtualization software such as VMware Workstation Pro ( https://my.vmware.com/web/vmware/info/slug/desktop_end_user_computing/vmware_workstation_pro/14_0 ). When installing an operating system to run TeamSpeak 3, consider something secure like Tails Linux or Kali Linux. This is assuming you will not have confidential information on the mentioned virtual machine OS. If you are just looking for a simple operating system, consider Ubuntu Desktop. Keep in mind that if someone breaks out of your TeamSpeak 3 instance, your real IP may be leaked even if you are running a VPN on the virtual machine. Ideally, the host machine where you are running the VM should have a secure VPN setup. Two common IP leaks on systems using a VPN are an IP leak by DNS and and WebRTC/STUN. Consider using a custom DNS with your VPN solution. I like NordVPN as a VPN provider. After your VPN is configured, think about going to Google and take a look at "IP Leak Test", check around if you want to test if your VPN is working to maximize privacy. While these steps are more for privacy, they are optional. Separating your TeamSpeak 3 instance from your main operating system is not optional from a security standpoint.
TeamSpeak's responsibility as the company (TeamSpeak Systems GmbH) and developers: Knock down your security shortcomings by going after cybersecurity talent, specifically someone experienced with application security. I realize there is a shortage of talent globally, but if you look in the right direction I promise you may be surprised how much safer your software may become by giving the right cybersecurity researchers a chance. You need a dedicated individual to inspect the life-cycle of your application's code. When a new feature is added that allows an input, is the input secure? When a connection is handled in your server software, will it crash if simply an integer is missing? Throughout all of your applications, what does error handling look like? Is garbage collection being implemented properly to keep memory usage appropriate? An application audit would keep your users much safer and give your developers an idea of where they can improve security practices which can make your current code safer and help your company and applications for the life of your hopefully successful future.
In R4P3's past, we COULD HAVE done very dark things such as launch one of the largest self-spreading worms across the TS3 network. This was at a time when there were around a million users and most run on the Windows operating system. Keep your users safe, keep yourself safe --- everyone. R4P3 is only here to help.
By the graceful teamwork of R4P3's research and TeamSpeak Systems GmbH's rapid response, one of their most critical security issues was patched. Security can not always be responsive though, a proactive approach is recommended. Much like waiting to have a heart attack is a bad idea, just eat some fucking fruit and salad --- drink water.
Hello to our lovely community!
Since October is the perfect time to publish security awareness information (October is National Cyber Security Awareness Month which is an annual campaign to raise awareness about the importance of cybersecurity).
I figured I would take a moment to provide security ideas for using TeamSpeak 3 safely with reasoning on why you should.
No, TeamSpeak 3 has been developed with several critical security issues scattered throughout. Additionally, the software is proprietary and utilizes the Qt framework. If you open TS3, click Help -> About -> Qt Version: 5.6.2 at current time.
Because the Qt framework is inherently insecure by making production fast and cross-platform (security and speed can come together but only if done properly and this places almost all responsibility on secure development to the developers of TeamSpeak 3 which is a team of a few guys, as far as I know (I may be wrong) not a single security engineer nor employee), there is no way to safely run Qt applications which are proprietary on a host machine. This means if you run TeamSpeak 3 in the same environment you use LastPass, access bank accounts, check your emails, and various other confidential actions --- you are unsafe every time you connect to a TeamSpeak 3 server publicly facing the Internet.
To give you some insight as to how slow-moving the Qt framework is regarding security, HSTS was developed for enforcing HTTPS connections around the year 2012. The year is 2017 and HSTS support has just arrived to Qt developers as shown here: https://en.wikipedia.org/wiki/Qt_version_history 5.9 and TS3 is still on 5.6. You can see Mozilla's support for it back in 2012: https://support.mozilla.org/en-US/questions/942924
Why the fuck are you still running TeamSpeak 3 outside of virtualization? There is no reason to take this unnecessary risk. This is like putting your dick in a homeless person's bum; no protection.
In the very end of all this, there are two people responsible for the security of TeamSpeak 3. That is yourself and TeamSpeak 3 developers or the company itself. From the interview R4P3's security team had with TeamSpeak's two CEOs, we understand that security is not at the top of their list of things to do. Instead, the response to us was more about quieting our community and ultimately leading to a shutdown of our research on the security of TS3.
Your responsibility to securely run TeamSpeak 3: Install virtualization software such as VMware Workstation Pro ( https://my.vmware.com/web/vmware/info/slug/desktop_end_user_computing/vmware_workstation_pro/14_0 ). When installing an operating system to run TeamSpeak 3, consider something secure like Tails Linux or Kali Linux. This is assuming you will not have confidential information on the mentioned virtual machine OS. If you are just looking for a simple operating system, consider Ubuntu Desktop. Keep in mind that if someone breaks out of your TeamSpeak 3 instance, your real IP may be leaked even if you are running a VPN on the virtual machine. Ideally, the host machine where you are running the VM should have a secure VPN setup. Two common IP leaks on systems using a VPN are an IP leak by DNS and and WebRTC/STUN. Consider using a custom DNS with your VPN solution. I like NordVPN as a VPN provider. After your VPN is configured, think about going to Google and take a look at "IP Leak Test", check around if you want to test if your VPN is working to maximize privacy. While these steps are more for privacy, they are optional. Separating your TeamSpeak 3 instance from your main operating system is not optional from a security standpoint.
TeamSpeak's responsibility as the company (TeamSpeak Systems GmbH) and developers: Knock down your security shortcomings by going after cybersecurity talent, specifically someone experienced with application security. I realize there is a shortage of talent globally, but if you look in the right direction I promise you may be surprised how much safer your software may become by giving the right cybersecurity researchers a chance. You need a dedicated individual to inspect the life-cycle of your application's code. When a new feature is added that allows an input, is the input secure? When a connection is handled in your server software, will it crash if simply an integer is missing? Throughout all of your applications, what does error handling look like? Is garbage collection being implemented properly to keep memory usage appropriate? An application audit would keep your users much safer and give your developers an idea of where they can improve security practices which can make your current code safer and help your company and applications for the life of your hopefully successful future.
In R4P3's past, we COULD HAVE done very dark things such as launch one of the largest self-spreading worms across the TS3 network. This was at a time when there were around a million users and most run on the Windows operating system. Keep your users safe, keep yourself safe --- everyone. R4P3 is only here to help.
By the graceful teamwork of R4P3's research and TeamSpeak Systems GmbH's rapid response, one of their most critical security issues was patched. Security can not always be responsive though, a proactive approach is recommended. Much like waiting to have a heart attack is a bad idea, just eat some fucking fruit and salad --- drink water.
Last edited:
