Building a slide deck, pitch, or presentation? Here are the big takeaways:
- Google has released an optional Chromebook update to fix a Trusted Platform Module flaw that allows attackers to access encrypted data.
- If a Chromebook user downloads Google’s latest optional security update to patch its Trusted Platform Module firmware, they’ll need to wipe all of their device data as well.
An optional security update for Chromebooks would force users to wipe all local data before installing.
While the update was originally detailed in a Chromium project page in October 2017, it was further explained in a Sunday post from Android Police. The update specifically fixes a Trusted Platform Module (TPM) firmware vulnerability that allows hackers to extract encrypted data.
The vulnerability is important because it shows that, while typically secure, thin clients and zero clients still present some risk to an enterprise organization. It also shows that, with the right exploit, some encryption can eventually be broken.
SEE: System update policy (Tech Pro Research)
The attack is very limited and cannot be carried out at scale, as it takes 140.8 CPU years to break a single encryption key, according to the Chromium page. However, some targeted attacks are possible, the page said. It’s also pretty far-reaching.
“With the exception of older devices that use the Infineon SLB 9635 TPM, all Chrome OS devices that include an Infineon TPM chip are affected,” the Chromium page said. A full list of affected devices can be found here.
What’s worse is that, if a user wants to run the update to account for the vulnerability, they will need to wipe their local user data to do so. As such, Google has made the update optional, the page said.
“Installing the TPM firmware update requires a hardware reset of the TPM chip. This means that all data held by the TPM will be discarded. This includes disk encryption keys, implying all user data stored locally on the device will be lost,” the page said.
Users and admins that need to perform this update should back up any important data (preferably in multiple places) before proceeding with the update. To account for the risk of the update failing, users should have a copy of Chrome OS recovery media close by, the page said.
For more information on how to determine if a specific firmware version is impacted, and for step by step instructions for installing the update, consult the Chromium page.