All the stars aligned in January for SH1MMER, a big stinkin’ problem for schools and organizations managing Chromebooks from select vendors and select chipsets. SH1MMER allows end users to unenroll their assigned devices from organizational management and ultimately avoid device restrictions applied by their institution. You might think of it like a jailbreak for school devices. And it was created by a group of… you guessed it: teenagers. Specifically high schoolers and one middle schooler, who call themselves the Mercury Workshop team (MW). This group reached out to the K12 Tech Talk Podcast last week to clear the air on a few things. Now that we’ve had the opportunity to talk to some of the people at MW, and had a few days to download and try SH1MMER ourselves, we have a better understanding of the implications of this Chromebook vulnerability turned exploit. So, let’s talk about how we got here and what we can do moving forward.
A big deal or nah?
First off, is this actually a big deal?
Some schools have said they can mitigate the exploit through network access controls and by creating alerts for inactive devices. These mitigations may discourage students from using it on their school-issued Chromebooks. But in the sense that an institution’s ability to control its devices, at the most fundamental level, has been compromised — yeah, it’s a really big deal. All it takes is a person with a little know-how to unenroll a device. If a student doesn’t bring a device back or it goes missing, an individual just needs SH1MMER to set it up as their own.
We’ve spent a lot of time debating how much airtime to give this topic for fear that it would shed more light on a situation that we’re trying to control. Ultimately we’ve recognized that this is an inflection point and a learning opportunity for all involved. But who is involved, and who needs to learn a lesson here? Let’s unpack that.
The proverbial finger-pointing game
Ultimate blame
To paraphrase Josh from the K12 Tech Talk Podcast: Every device has a vulnerability. But how easy that vulnerability is to exploit is another discussion.
In this instance we are dealing with what appears to be a security-by-obscurity setup. And guess what: in any instance where students are involved, they will find that obscure method to get around it. This is not to call MW’s exploit elementary; we’ll continue to unpack that at a later time after we’re able to analyze the exploit in more detail.
The fact that the exploit was created is huge. It will draw ire from some, brings up legal questions for others, and ultimately lands us in an ethical conundrum. As Mark from the K12 Tech Talk podcast said, just because you found an unlocked door does not mean you should open it. So to MW: we see you and know that what you did to open that door was creative and innovative —- but tread very lightly. Just because you found a way in doesn’t mean you should be there. Again, to quote Mark: “Please use your skills for bettering yourself and bettering your community. Be very careful going down this pathway. Because your skills have clearly opened up a lot of doors, they will open up a lot of doors. You can quickly close those doors.”
So much to say, ultimate blame for the exploit does lie with MW, but we’ll talk more about motives and reasoning later when we get to lessons learned.
More blame
The second layer of blame here lies with the creators of the hardware and the software/OS. In this instance it appears to be Lenovo that had shims available for this group to find, then Google for creating a boot system that could be compromised with access to and modification of shims.
MW indicates that they found the shims on a publicly indexable site. Rafflesia of MW mentioned to K12 Tech Talk that “Lenovo kept all their shims public and we found them indexed on Google.”
Whoa. If this is true, whoa, Lenovo. And even though it might have been on Lenovo’s site, those shims apply to all Chromebooks using the same boards as Lenovo. Again, Rafflesia mentions, “The shims aren’t manufacturer-specific, they are board-specific, meaning a Lenovo shim for Octopus will work on a Dell Octopus Chromebook.” A full list of affected boards can be seen by accessing the public file share published on SH1MMER.me.
You can reference these board names to see if they apply to your model of Chromebook on Chromium.org.
To date, Google has not done anything more than release statements that they are working on fixes for this. We found the statement along with some remedial steps by Google on edugeek.net.
Google is aware of an issue affecting a number of ChromeOS devices, which requires Google to collaborate with ecosystem partners on a fix. User data on impacted devices is not exposed. As a security best practice, we recommend Enterprise and Education administrators monitor for unenrolled and inactive ChromeOS devices.
Our exchanges with MW indicate they believe there will be nothing Google can do for current hardware, only hardware moving forward. To quote MW’s Rafflesia: “While Google is working on a fix, the fix is likely going to take a while and only affect models released from today onwards, existing models will continue to be affected, as this is a bootrom exploit basically.” She also points out that “the actual exploit itself takes advantage of a flaw in the initramfs.”
So this is a flaw in how Google has set up the boot security of the Chromebooks. Rafflesia says, “Shims aren’t actually supposed to boot for enrolled Chromebooks, and it checks for that, but the check passes since the check in the shim initramfs doesn’t mount crypto home which stores the enrollment information.”
Final —- and initial —- blame
But where did it all start? How did these high school students even get this idea?
Well, it was us and our naïveté, collaborating in an open forum on Reddit.
From the SH1MMER credits page:
Just a few techs talking about the Chromebook repair menu, and they started talking about shims. These kids were lurking there and realized this was the real starting place. If they could just get a hold of some shims, they might be able to engineer the process further. And the rest is history.
Lessons learned
We can play an entire game of what-ifs here. If it wasn’t MW, it might have been someone else. If Lenovo hadn’t (allegedly) had the shims available publicly, would we be here? If Google had just engineered its boot process differently for enrolled Chromebooks, would it be a different situation? If these techs hadn’t been talking about this in a public forum, would these teenagers have found their starting point?
Yeah, we can play that game, but it does us no good. Clearly all the stars aligned and MW was able to create this exploit. There’s not much that can be done other than set up alerts to let you know when a Chromebook is showing inactive, follow Google’s remedial steps, and hope and pray that Google comes up with some means to reverse this problem on the affected boards.
But there is more to this situation than taking the sit-and-wait approach, playing the blame game, or asking what if. There are plenty of lessons to be learned. We’ll address them by each party involved.
School technology departments, administrators and teachers:
MW wanted us to know they created the exploit because they believe their privacy is being infringed upon. When pressed on why MW created the exploit, Rafflesia said, “Well, it’s a bit complicated on that front; the purpose is not for theft, but rather more so for student privacy.” She said she felt uncomfortable to have ”something watching me 24/7, especially when it’s the only device we are allowed to have in a place we are forced to go.” She also mentioned that schools should do more to help students be safe through self-reporting programs as opposed to using technology-monitoring software.
We’ll all go through disagreement with what level of monitoring is acceptable, but the reality is this: students need us to take their safety seriously, and they want us to take their privacy seriously. Students are legitimately asking us to ensure that their right to privacy is protected and that they are kept safe in our schools.
We hear you loud and clear. We can’t promise that you’ll have invisibility on our networks, but we can promise you that we’ll take your concerns seriously, and we will do our best to ensure your security/privacy and to involve you in conversations around those topics.
Mercury Workshop team (and all students):
School technology departments care about you. Genuinely. We don’t set up restrictions because we want to spy on you or make your day more difficult. We’re genuinely concerned for your safety and trying to ensure that you are able to do the things you need to do in school to keep learning to the best of your abilities. Many of us are required by federal law (CIPA) to filter the content on your devices. This is to ensure that objectionable and obscene content doesn’t come through to you while you are using a school device. We have to abide by this law. With regards to monitoring software that monitors for sentiments, we employ this to ensure that we are doing everything within our power to get you help when you need it. In my school alone, I have been able to use our monitoring software to catch suicide ideation, bullying and other threats.
When something bad happens in a school, one of the first things people ask is: “Could the school have done more?” We’re always trying our best to do all we can, and you know as well as we do that technology can be used for bad and it can be used for good. We try our best every day to use it for good and to give you the best experience. Many of us around the country and the world working in school technology are underpaid, overworked and, as a whole, undervalued — but we do it for you. We truly care.
MW, and all students, your technology department would love to work collaboratively with you. We would love to help you find avenues into the career of your dreams in cybersecurity or the tech field. Let’s harness your endless creativity and ingenuity to do great things for your community and your country as a whole. Please, let us work together.
Google, Lenovo, et al.:
Please, pretty please, come up with something better to ensure institutional devices can’t be unenrolled. And as far as shims go, maybe make access to these not so ubiquitous or (allegedly) publicly available.
All K12 tech pros:
We need to find a better way to talk about sensitive topics, including device repair, content filtering and network security. Public forums are where many lurk to find our vulnerabilities. Here at K12TechPro we’re dedicated to helping techs find this avenue for secure communication, and we’ll be trying our best to develop something in the near future. Because we all need a place to be able to collaborate and become the best professionals possible, but we need to do it in a place where we can verify identity and control access.
While all the stars have aligned to SH1MMER, not all hope is lost. We have much to learn, and I hope we can keep an open line of communication between all parties involved — to make a better future for device security, for student data privacy and student safety, better communication with our students, and more secure communication about sensitive topics school techs need to talk about.
We’ll revisit SH1MMER in the coming weeks. A big thanks to Chris from the K12 Tech Talk podcast for facilitating the email exchange with MW this week. And to Josh and Mark, thanks for taking my incessant questions and calls for information and opinions.
We at K12TechPro are committed to helping empower school technology personnel to learn, communicate and collaborate in a secure manner.
super wholesome
oh god i can’t edit my comments
anyway this is the best sh1mmer article i have ever seen
Thank you! I hope you know that our comments and address to you all are sincere.
The k12sysadmin thing was a joke, we weren’t actually inspired by them, but we just found the post while looking through information on RMA shims. The post was actually particularly unhelpful since it was talking about shimless RMA, which is not something we ended up using, we really just added that to the credits as more of a humor thing
Definitely good to know. We’ll probably be making some edits, but the lessons learned for us will still apply. Thanks!
Wanna know something funny? The way that we actually found the download for the shims was on accident while looking for Wi-Fi drivers for Windows on a Chromebook.
That’s interesting. This ended up all being on Lenovo’s site, right? And has Lenovo since pulled it down?
It’s funny how a Windows driver search comes up with this. That’s odd to say the least.
As someone who has tried for years to find ways for K-12 administrators to collaborate and share resources, unfortunately Reddit has been the only truly reliable and open platform for discussion.
Email lists suck, and I don’t need yet another message filtering category in my mailbox.
Every lock must have a key, and if those keys are easily found, it’s not our fault as network administrators for revealing that flaw. It’s the fault of whoever was supposed to be responsible and careful with the security tools they were provided, and failed to do their job correctly.
The main challenge here is that the person who screwed up is inside a huge multibillion dollar company that is going to close ranks and deny they are at fault. At the very least the Lenovo corporation should be financially liable for replacing all the affected systems with replacement unreleased security keys — including from other manufacturers sharing that keyring.
As K-12 administrators in schools that are already usually underfunded, we don’t have the resources to actively sue Lenovo for damages, so whoever did this is likely going to walk away free of consequences.
All we can really do is say, “LENOVO you dumb dumbs. FIX your Chromebook security hole and DON’T do it again. Your employees were TRUSTED with this important security management and you SCREWED IT UP.” And try to move on.
It also shows that Google needs to do a better job with Chromebook security. Each manufacturer needs to be issued a unique key, so that one lackluster idiot that was improperly entrusted with security tools at one company can’t affect the product line at another company.
Even within a single manufacturer, the device master key burned into the motherboard security chip should be changed every month or so. This minimizes damage so that one person at that one manufacturer bungles their key management for their current product offering, it does not impact that manufacturer’s entire product line going back years, and the damage can be halted immediately.
Lessons learned…
I definitely agree with this. And I want to clarify that I don’t fault K12 Techs for communicating on Reddit. I just want us to be aware of what we post on there and see if we can come up with secure avenues for communication. We’re working on ways to make our forums secure and trying to find ways we can vet k12 techs if possible.
I’d recommend a discord and invites require us to verify identity by out district email address. This makes it strictly invite only and it gives us a great forum to collaborate with our neighboring districts.
This was really informative. As K12 IT, we need to be informed.
MW, grats on exposing a rather large security hole in Google Enterprise! As Chris pointed out already, your skills can carry you far in the tech world.
🐟