A new exploit called ‘Sh1mmer’ allows users to unenroll an enterprise-managed Chromebook, enabling them to install any apps they wish and bypass device restrictions.
When Chromebooks are enrolled with a school or an enterprise, they are managed by policies established by the organization’s administrators. This allows admins to force-install browser extensions, apps, and to restrict how a device can be used.
Furthermore, once enrolled, it is almost impossible to unenroll the device without the organization’s admin doing it for you.
To bypass these restrictions, security researchers from the Mercury Workshop Team have developed a new exploit called ‘Shady Hacking 1nstrument Makes Machine Enrollment Retreat’, or ‘Sh1mmer,’ that lets users unenroll their Chromebooks from enterprise management.
The exploit requires a publicly leaked RMA shim that the Sh1mmer exploit will modify to allow users to manage the device’s enrollment. The researchers say that the following Chromebook boards are known to have publicly released RMA shims.
brask, brya, clapper, coral, dedede, enguarde, glimmer, grunt, hana, hatch, jacuzzi, kukui, nami, octopus, orco, pyro, reks, sentry, stout, strongbad, tidus, ultima, volteer, zork
For those unfamiliar with RMA shims, they are disk images stored on USB devices that contain a combination of the ChromOS factory bundle components used to reinstall the operating system and manufacturer tools used to perform repair and diagnostics.
To use this exploit, you need to download an RMA shim for your Chromebook board, use the researcher’s online builder to inject it with the Sh1mmer exploit, and then run the Chrome Recovery utility.
Using the steps detailed on the Sh1mmer site, you can load the modified RMA shim to launch the Sh1mmer menu, shown below.
From this menu, you can unenroll and re-enroll a device as needed, enable USB boot, allow root-level access to the operating system, open a bash shell, and more.
A member of the k12sysadmin Reddit group tested the exploit and stated that they could use the exploit to unenroll their Chromebook and use it as a brand new device.
“I tested with my spare Acer 311/722 this morning. It definitely does exactly what it says it will. Go to Utilities, wipe GBB flags, and then deprovision and reboot,” posted a technician to the /r/k12sysadmin Reddit group.
“I could then register it with my personal email and everything works just like a new out of the box device with no forced enrollment.”
Another system administrator warned that the use of this exploit likely breaks student code of conduct, and could lead to serious consequences.
“Other IT admins warn that this is a serious breach of school At this point, it’s practically vandalizing school property and breaking your AUP (probably),” wrote a k12sysadmin member.
“This isn’t a tech issue, its a discipline issue. Once you find out, have the school confiscate the chromebook and the IT Dept. re-enroll the chromebook to the network.”
“Take the kid’s district use of tech away for a year. They should learn their lesson.”
Google told BleepingComputer that they are aware of the exploit and are working to address the issue.
“We are aware of the issue affecting a number of ChromeOS device RMA shims and are working with our hardware partners to address it,” Google told BleepingComputer.
Unfortunately, they did not provide information on how admins can prevent the exploit or detect exploited devices.
However, when the Sh1mmer exploit is used, it will cause the device to show up as inactive in the administration console.
Another member of the k12sysadmin Reddit group said that admins could enable Inactive device notifications to receive emails when a device becomes inactive, allowing admins to look into it further and see if the exploit was used.