Researchers at Mercury Workshop invented a new exploit called Sh1mmer, that would allow anyone to unenroll their enterprise-locked Chromebooks for more flexibility.
This exploitation tool is available for a range of Chromebooks and needs a simple installation process to crack through. Google said it’s aware of the tool in the wild and is working to address it.
Unenrolling an Enterprise Chromebook
With Chromebooks being lighter and faster, many organizations are leveraging them in their regular workflows – by letting employees have them in their homes for remote working. Well, though they let these devices go away with employees, they’re in full control of them with special access.
And it’s called managed services, where an organization can remotely control them and dictate how they can be used. Well, breaking the chain, a new exploit named ‘Sh1mmer’ is introduced by the Mercury Workshop team that would let anyone bypass the enterprise restrictions laid on their Chromebooks!
Explaining it, the ‘Shady Hacking 1nstrument Makes Machine Enrollment Retreat’, or ‘Sh1mmer’, relies on publicly leaked RMA shim for its process. These are the disk images containing a combination of the ChromOS factory bundle components and manufacturer tools used to install and repair the OS.
brask, brya, clapper, coral, dedede, enguarde, glimmer, grunt, hana, hatch, jacuzzi, kukui, nami, octopus, orco, pyro, reks, sentry, stout, strongbad, tidus, ultima, volteer, zork
With these shims available publicly for most Chromebook models (as above), Sh1mmer modifies them to break the enterprise chain and offer users more flexibility to unenroll and re-enroll a device as needed, enable USB boot, allow root-level access to the operating system, open a bash shell, etc.
Interested users need to install Sh1mmer with an online builder from these researchers and then run the Chrome Recovery utility. While it’s not recommended to do so – people who tried said it worked exactly as promised. Unfortunately, system admins of the concerned enterprise wouldn’t know if the Chromebook is exploited or not if injected with Sh1mmer.
But since the infected Chromebooks show inactive status, they can surely spot on and launch an investigation. Responding to BleepingComputer’s request, Google said it’s aware of this exploit in the wild and is working to address the issue.