If you’re one of the more than 50 million Chromebook users in education (though Google (opens in new tab)’s figure is almost a year out of date), then you’ll be familiar with the restrictions imposed on your laptop to keep you within the realms of its intended use as a classroom tool.
Similar restrictions are also placed on company-provided business laptops to keep you from doing certain non-work-related tasks, leaving you with little choice but to invest in a secondary device to use as your own.
That is, until now. A new admin control exploit, called SH1MMER, uses legitimate tools approved by Google to break out of restricted mode. The hack, known in the industry as a shim, is ordinarily designed for laptop repairers to run diagnostics and fix devices.
Chromebook admin restrictions
A GitHub post (opens in new tab) explains how the shim works:
“RMA shims are a factory tool allowing certain authorization functions to be is signed, but only the KERNEL partitions are checked for signatures by the firmware. We can edit the other partitions to our will as long as we remove the forced readonly bit on them.”
Following a set of instructions posted on the SH1MMER website (opens in new tab), which includes loading a USB with at least 8GB of storage with a shim image, users will be able to unenroll their Chromebook seeing it “behave entirely as if it is a personal computer and no longer contain spyware or blocker extensions.”
Google is reportedly aware of the exploit that was found by the 15 members of the so-called Mercury Workshop, which was released on January 13, however several reports claim that it is still unpatched, including an education forum (opens in new tab).
The company says that Enterprise and Education administrators should continually monitor for inactive devices. They can also turn off enrollment permissions, block access to the Chromebook Recovery Utility extension, block access to chrome://net-export to prevent users from capturing wireless credentials, and block access to exploit-spreading website like sh1mmer.me, alicesworld.tech, luphoria.com, and bypassi.com/
TechRadar Pro is waiting to hear from Google whether it has issued a more permanent fix for this issue that could see many establishments in trouble.