New Chromebook Exploit Lets Users Unenroll Managed Devices

Security experts developed a new exploit that lets users unenroll enterprise-managed Chromebooks to skirt restrictions organizations impose on the use of their devices.

The exploit, dubbed “Shady Hacking 1nstrument Makes Machine Enrollment Retreat,” or Sh1mmer, was developed by Mercury Workshop Team researchers and involves modifying publicly leaked RMA shims.

Schools and organizations usually enroll devices such as Chromebooks to make them easier to manage centrally. Administrators can perform various tasks on registered devices, such as force-install apps, roll out emergency updates, or restrict how users interact with the device.

Enrolled devices are also nearly impossible to unenroll from enterprise management without help from the organization’s administrator.

RMA shim images are USB-stored disk images comprising existing ChromOS factory bundle components, including a factory install shim, a test image, a factory toolkit, and an HWID bundle. They facilitate reinstalling operating systems and firmware and performing various repairs and diagnostics operations on managed machines.

Sh1mmer enables users to inject the exploit into a publicly leaked RMA shim through an online builder. Users can then perform several operations that had been restricted through the Chromebook Recovery utility, such as:

• Unenroll and reenroll devices
• Launch a Bash terminal
• Unblock developer mode
• Enable USB boot
• Disable rootFS verification
• Wipe GBB (Google Binary Block) flags

Sh1mmer’s developers released a list of boards that have publicly leaked RMA shims, including:

brask, brya, clapper, coral, dedede, enguarde, glimmer, grunt, hana, hatch, jacuzzi, kukui, nami, octopus, orco, pyro, reks, sentry, stout, strongbad, tidus, ultima, volteer, zork

According to BleepingComputer, Google is aware of the exploit and working towards addressing the issue. However, the company failed to provide additional details on either preventing the exploit or detecting exploited devices.

Reportedly, Sh1mmer-exploited devices will show up as inactive on administration consoles. As a member of the k12sysadmin community on Reddit pointed out, administrators could set up alerts for devices that become inactive and determine if the events were caused by the exploit or not.