Users of enterprise-managed Chromebooks now, for better or worse, have a way to break the shackles of administrative control through an exploit called SHI1MMER. SH1MMER - you may pronounce the "1" as an "i" - is a shim exploit, or more specifically, a weaponized Return Merchandise Authorization shim. A shim is Google-signed software used by hardware service vendors for Chromebook diagnostics and repairs. With a shim that has been processed and patched, managed Chromebooks can be booted from a suitably prepared recovery drive in a way that allows the device setup to be altered via the SH1MMER recovery screen menu. "You will now be able to, among other things, unenroll your Chromebook," the Mercury Workshop explains on its exploit website. "It will now behave entirely as if it is a personal computer and no longer contain spyware or blocker extensions. After you do this and get past the 'determining device configuration' screen, you will be able to actually turn dev mode on." An RMA shim incorporates the Chrome OS factory bundle components, with the factory install shim, a release image, a test image, a factory toolkit, a HWID bundle, and possibly other elements. Building a universal RMA shim involves using Google's image tool to download the factory software bundle, modify it with the necessary components, and create a binary that then gets flashed to a USB drive. A Chromebook in developer mode can then be rebooted from that drive image and evaluated for potential repairs. Those using managed Chromebooks - 50 million teachers and students, by Google's count - don't normally have developer mode enabled. SH1MMER can be applied regardless using the Chromebook Recovery Utility extension, a browser extension for creating recovery media. Doing so requires obtaining and patching a board-specific RMA shim that's been leaked online or obtained through hacking and then patching using the exploit builder. The tool works because, as one of the hackers involved explains, only kernel partitions are checked for signatures by ChromeOS firmware. Other partitions can be edited after the forced readonly bit is removed. In a statement provided to The Register, a Google spokesperson said, "We are aware of the issue affecting a number of ChromeOS device RMA shims and are working with our hardware partners to address it." Tablet, Chromebook shipments come crashing down Why I love my Chromebook: Reason 1, it's a Linux desktop Chromebooks are here to stay thanks to COVID, even though shipments crashed: IDC Google's ChromeOS Flex turned my old MacBook into new frustrations. The Mercury Workshop, 15 geeks credited with developing the project, warns that some pre-patched binaries found online may brick Chromebooks when applied. They advise patching a known valid shim rather than just trusting files found online. The hardware liberators suggest adding a personal account first on an unenrolled device and then adding a school account to enable switching back and forth to an uncontrolled environment. They also state that they do not endorse SH1MMER or device unenrollment as a means to cheat at school. In a discussion on Hacker News, IT types who developed their skills by breaking the less sophisticated systems of yore expressed sympathy for students trying to escape administrative control.
This Cyber News was published on packetstormsecurity.com. Publication date: Wed, 01 Feb 2023 19:26:55 +0000