Sh1mmer on Chromebooks

On Episode 104 of the K12 Tech Talk podcast, Chris, Josh, and Mark discussed the sh1mmer vulnerability on Chromebooks. This came up because of a Reddit thread talking about it. This article is a recap of that conversation.

Josh – There’s a new vulnerability, or you might say exploit. It’s kind of a third party related thing though. Students have found a website that has, more or less, a knockoff version of a shim for Chromebooks. Shims are typically owned by the manufacturer and only certified repair people can have access to them, and it is specific to the make and model of the device, or at least the manufacturer of the device. Somehow, somebody made a generic shim and you can download it, put it on a USB drive, and you can use it to shim Chromebooks. And, in that process, you can change the device name, you can change the serial number, you can tell the device to not auto re-enroll. So, if you do so, you can wipe it and then you have a free to roam Chromebook.

Chris – Folks on the Reddit thread discuss the different options to try and stop this. The just of what Josh and I have landed on is to at least block these domains:

Josh – As far as taking other steps, it’s Whack a Mole. I don’t have the staff to take that much time and do that deep of due diligence.

Mark – You know, it kind of goes back to CIPA. We have a responsibility to block inappropriate content… reasonable attempts to block inappropriate content. But I do think that you just can’t spend your entire day staring at firewall logs and filtering logs and you need to take reasonable steps, and you need to move on and spend your time on things that have a little bit more of a productive impact. You would drive yourself crazy if you’ve just spent all day long trying to chase down every possible loophole to your systems. As long as you put reasonable effort into it, you are covered.

We unpack a lot more about this on the episode; have a listen.

Leave a Comment