There are presumably tens of millions of enterprise-managed Chromebooks in the wild, and that makes them an attractive target for hackers. The recent discovery of the SH1MMER exploit is causing concern for many organizations that rely on Chromebooks for their daily operations.
SH1MMER (Shady Hacking 1nstrument Makes Machine Enrollment Retreat) is a potentially dangerous exploit capable of completely unenrolling enterprise-managed Chromebooks from their respective organizations, but useful for Chromebook owners who want to use the operating system while still maintaining their privacy. It was discovered by the Mercury Workshop team and was released on Friday, January 13th, 2023 (Friday the 13th but has mostly flown under the radar). We're unsure if the release date is a publicity stunt or merely a coincidence.
The exploit takes advantage of the ChromeOS shim kernel, specifically modified RMA factory shims, to gain code execution at recovery. RMA shims are factory tools that allow certain authorization functions to be signed, but only the KERNEL partitions are checked for signatures by the firmware. As a result, the other partitions can be edited as long as the forced read-only bit is removed. In simple terms, the exploit grants root access to all the filesystems on the Chrome OS device.
To build the exploit from source, a raw shim must be obtained. There are several ways to obtain a raw shim, including borrowing them from repair centers, acquiring a certified repair account, or finding them online. Finding the right shim is trivial if you check out chrome100.dev, where users can search for their Chromebook's model and download it without any roadblocks. It's not guaranteed you'll find your model there, but it offers a pretty good inventory.
The pre-built binaries for the exploit were originally available through the official mirror (dl.sh1mmer.me), but were later taken down due to copyright concerns and due to harassment and toxicity from the ChromeOS community. The team behind SH1MMER has expressed their frustration with the negative response and has encouraged users to build the exploit from source.
In conclusion, the SH1MMER exploit is a significant threat to enterprise-managed Chromebooks but can be a boon for hobbyists and Chromebook owners who want to get their hands dirty and truly own their devices.
Corrections: We were contacted by ULTRA BLUE of the aforementioned Mercury Workshop. ULTRA BLUE offered the following corrections to this news article:
- "SH1MMER actually is not useful at all for people with Chromebooks that are not enrolled, as you can use developer mode to install a different operating system with the same script as SH1MMER has for that. The only usage for SH1MMER for someone who doesn't have an enrolled Chromebook would be to unbrick."
- "chrome100.dev does NOT have shims, they have recovery images. The file structure is almost exactly the same, but shims are what have the vulnerability that allows us to remove enrollment."
ULTRA BLUE also shared the instructional video below explaining how to apply the exploit.
10 Comments - Add comment