I Know What You Are Doing With Remote Desktop

Abstract

Remote desktop enables users to remotely access their computers via the Internet, which is widely used as a basic tool in areas such as remote work, remote assistance and remote administration. However, existing remote desktop is designed to work in the mode of updating user’s real-time command and remote screen’s state interactively for a better user experience, such working mode may cause serious side-channel information leakage problem in spite of encryption of the traffic, as revealed in this paper. We carry out an experimental research to assess the side-channel information leakage of six most popular remote desktop softwares in Windows 10 & 7 platforms: Anydesk, ConnectWise, MicroRDS, RealVNC, Teamviewer, and Zoho Assist. With the help of machine learning techniques including logistic regression, support vector machine, gradient boosting decision tree, random forest as well as statistic features of flow burst, we observe that an adversary can excellently uncover (top at 99.26% TPR, 0.57% FPR, 97.17% F1-score) 5 rough kinds of daily activities covering editing documents, reading documents, surfing webs, watching videos and installing softwares and even worse precisely classify 4 fine activities predefined as editing documents with Microsoft Office Word and the other three edit tools with high true positive rate and low false positive rate. Our results prove the fact for remote desktop traffic encryption mechanism is nothing sufficient to prevent side-channel information leakage and both users and providers of remote desktop should pay more attention to such serious privacy leakage problem.