Sh1mmer on Chromebooks

On Episode 104 of the K12 Tech Talk podcast, Chris, Josh, and Mark discussed the sh1mmer vulnerability on Chromebooks. This came up because of a Reddit thread talking about it. This article is a recap of that conversation.

Josh – There’s a new vulnerability, or you might say exploit. It’s kind of a third party related thing though. Students have found a website that has, more or less, a knockoff version of a shim for Chromebooks. Shims are typically owned by the manufacturer and only certified repair people can have access to them, and it is specific to the make and model of the device, or at least the manufacturer of the device. Somehow, somebody made a generic shim and you can download it, put it on a USB drive, and you can use it to shim Chromebooks. And, in that process, you can change the device name, you can change the serial number, you can tell the device to not auto re-enroll. So, if you do so, you can wipe it and then you have a free to roam Chromebook.

Chris – Folks on the Reddit thread discuss the different options to try and stop this. The just of what Josh and I have landed on is to at least block these domains:

sh1mmer.me

alicesworld.tech

luphoria.com

bypassi.com

coolelectronics.me

github.com/3kh0/ext-remover

github.com/coolelectronics/sh1mmer

Josh – As far as taking other steps, it’s Whack a Mole. I don’t have the staff to take that much time and do that deep of due diligence.

Mark – You know, it kind of goes back to CIPA. We have a responsibility to block inappropriate content… reasonable attempts to block inappropriate content. But I do think that you just can’t spend your entire day staring at firewall logs and filtering logs and you need to take reasonable steps, and you need to move on and spend your time on things that have a little bit more of a productive impact. You would drive yourself crazy if you’ve just spent all day long trying to chase down every possible loophole to your systems. As long as you put reasonable effort into it, you are covered.

We unpack a lot more about this on the episode; have a listen.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Are You Discussing EDR?

Student Device Rotation

Leave a Comment Cancel reply

Advocating for Growth-minded K-12 Tech Departments

K12 AI Guardrails Discussion

Choosing an MDR Q/A