Hackers from The Mercury Group have developed the exploit SH1MMER that can “liberate” Chromebooks from business management functionality and limitations. Google is working with its hardware partners on a solution to fix it.
Specifically, SH1MMER is a modified Return Merchandise Authorization (RMA) shim. A shim is software signed by Google that allows hardware service providers to diagnose and repair Chromebooks.
The specific software includes the Chrome OS factory bundle components, with the factory install shim, a release image, a test image, a factory-supplied toolkit, a Hardware Identification (HWID) bundle and perhaps other elements. The latter may be common or board-specific.
Customizations of managed Chromebooks
With a custom and patched shim, managed Chromebooks can be booted from a prepared recovery drive. The setup of the affected device can then be modified via the SH1MMER recovery screen menu.
According to The Mercury Group’s hackers, it is therefore possible to set up business-managed Chromebooks as a personal device, thereby removing any business spyware and block extensions. Eventually, the Chromebook can then be put into dev mode, something not normally possible with managed Chromebooks.
Downloads already available
The required custom RMA shim can be downloaded when it has been leaked online or can be obtained through a hacking session. Via recovery media such as USB sticks or an SD card, the shim can then be loaded on the Chromebook. The hackers have since released a list of reliable shims after it was discovered that some online shims were causing Chromebooks to be “bricked.
Google on notice
Speaking to The Register, Google says it is aware of the exploit and that a number of ChromeOS shims have been affected. A solution is now being worked on with hardware partners.
Meanwhile, it has also disclosed how businesses and institutions can check whether their managed Chromebooks have been cracked. Companies should be attentive to devices that have not been recently synced and should disable enrollment permissions for most users.
In addition, they are advised to block downloads of the Chrome Recovery Utility extension, block access to chrome://net-export to prevent the stealing of wireless login credentials and block access to websites that distribute exploit tools such as sh1mmer.me.
Tip: Google is reportedly developing laptop chips as Chromebooks ship more units