Google said on Wednesday that it plans to fix the Shady Hacking 1nstrument Makes Machine Enrollment Retreat (SH1MMER) exploit that can unenroll an enterprise Chromebook.
A Google spokesperson said the company was “aware of the issue affecting a number of ChromeOS device return merchandise authorization (RMA) shims and are working with our hardware partners to address it. In the meantime, we are currently advising admins to monitor suspicious unenrollment behavior.”
Google added that it will keep the community closely updated when it ships out a fix, but did not specify a timetable.
SH1MMER could be a headache for school district Chromebooks
Meanwhile, security experts interviewed by SC Media said SH1MMER was more than likely not a huge enterprise issue, but could especially present some headaches to school districts.
“What we’re talking about here is jailbreaking a device,” said Mike Hamilton, founder and CISO of Critical Insight, and a former CISO for the city of Seattle who consults with many school districts. “For school districts, they probably have to be concerned about a tech-savvy student looking to exercise their skills.”
Discovered by the Mercury Workshop team and released on Friday, Jan. 13, SH1MMER references a shim, an RMA disk image that’s used by service techs to reinstall an OS and run diagnostics and repair programs. A hacker could install it on a USB drive and then use it to boot up a Chromebook that then shows an altered recovery menu that lets the hacker unenroll the device.
Hamilton said Google will need to modify the firmware on the Chromebooks. He said they have to get the firmware to check for cryptographic signatures on the rest of the authorization functions, not just the kernel functions — "because that’s where the crack is created to exploit it."
“I think Google will fix this quickly and schools need to develop a policy on jailbreaking your Chromebook device and some kind of penalty for that to make it real,” said Hamilton. "Schools also have to make sure they can detect when a device goes out of policy. The danger here is if a student does this and there’s no endpoint security and the school doesn’t detect it and lock out the student, then some kind of malware could be introduced. I’m not going to call this a ‘nothingburger,’ but I’d be very surprised if it showed up at any scale.”
Mike Parkin, a senior technical engineer at Vulcan Cyber, agreed with Hamilton that school districts were the most at-risk from tech-savvy students, but Parkin did say it was conceivable that a disgruntled insider working on the floor at a department store like Target or Walmart could launch such an attack.
“This is a physical-level attack,” said Parkin. “It would have to be a very focused attack. My biggest worry use case is much more of a student prank or bypass rather than an actual threat actor. I'm not saying it’s not possible or it won’t happen, but the more likely thing with this exploit is seeing a local tech-savvy student using it to get around the Chromebook restrictions because they want to. A disgruntled insider in a school IT department already have admin access so they wouldn’t be likely to do this.”