There’s a battle raging between a group of creative students and system administrators from the K12SysAdmin group on Reddit. On January 13, 2023, an anonymous group of students published a way to unenroll managed Chromebooks they are calling “Sh1mmer.” (not linking to minimize their SEO juice, but you can Google it if you want!) This sophisticated hack is frustrating (and impressing) the entire K12 security industry, including Google.
This exploit isn’t easy and requires time and patience (two things that students have in large supply). Essentially, the hack involves replacing a verified copy of ChromeOS with a modified version that bypasses the typical enrollment checks. I can already hear system admins saying to themselves, “Wait, that’s not supposed to be possible! We have verified boot enabled for our domain!”
This is where things get interesting
Every Chromebook is built on a baseboard designed by Google. This board contains all the essential components of a computer such as a processor, wifi radio, Bluetooth, etc. Manufacturers like Lenovo, HP, and Dell select and use a baseboard to design the models that eventually end up in schools. Those hardware manufacturers are provided with a “shim” that gives them root access to the components of the baseboard so that they can tinker and optimize the board for the models that are under development.
Chromebooks are highly secured. With verified boot and write protection, it’s difficult for the service center to run diagnosis and repair programs (usually built and customized by partners) because those won’t be signed by Google. Service centers may also have limited (or even no) network access. In general, what the partner needs is a tool that fulfills these requirements (aka a shim).Official Chromium Repository
These shims are supposed to be secret, like an API key. Unfortunately, someone at Lenovo didn’t lock them up and these enterprising students found them publicly accessible on the web. These shims are the basis for the Sh1mmer exploit. Fixing this exploit is difficult as the whole purpose of a shim is to give root access to hardware; you can’t exactly go back and remove them.
There is some good news, however
First, the Sh1mmer exploit only works for a specific number of baseboards: 24 of them to be exact. Of these 24 boards, some are very old (2014) and are unlikely still in active use. Other devices are rarely seen in a classroom setting (Lenovo Duet, Samsung Galaxy Chromebook, etc). That being said, there are some popular models from Lenovo, CTL, and HP that are in active classroom use including the Lenovo 100e (Octopus) and CTL NL7 (Coral).
The second piece of “good” news is that taking advantage of this exploit is not exactly simple. Students would need to complete a series of complex steps to use the exploit including removing the existing OS, compiling a new image from source, and side-loading the modified OS onto the machine. Not impossible, but certainly not easy.
How to prevent Sh1mmer
Google is aware of the problem and is considering a long-term solution. In the meantime, the K12SysAdmin group on Reddit has been working overtime to compile a list of ways to minimize your risk to the Sh1mmer exploit:
- Limit student access to the ChromeOS recovery tool
- Change and secure your primary wifi password (unmanaged devices won’t be able to connect if they don’t know the password).
- Limit the ability to re-enroll devices
- Set up inactive device notifications.
If you are concerned about the security of your Chromebook fleet, consider joining me for the Chromebook Academy, my comprehensive Chromebook management course for IT administrators. We’ll certainly be talking about Sh1mmer!
Those meddling kids!
The students responsible for Sh1mmer infiltrated the K12SysAdmin subreddit and have been monitoring the conversation. Just this week, one of the members of the group – “Rafflesia” – reached out to the host of the K12TechPro podcast and provided this justification for the Sh1mmer hack:
“Well, it’s a bit complicated on that front; the purpose is not for theft, but rather more so for student privacy.” She said she felt uncomfortable to have ”something watching me 24/7, especially when it’s the only device we are allowed to have in a place we are forced to go.” She also mentioned that schools should do more to help students be safe through self-reporting programs as opposed to using technology-monitoring software.K12 Tech Pro Blog
The most surprising thing that came from the conversation with “Rafflesia” was the admission that everyone in the group is in high school except for one member, who is in MIDDLE SCHOOL! Someone needs to find out who these kids are and HIRE them!