Security

How to update Chrome OS firmware to improve security

To protect your Chromebook from a targeted attack on a firmware flaw, save your data and update your device. This four step process shows you how.

According to The Chromium Projects, an attacker who has access to the public key could take advantage of a flaw in the Trusted Platform Module (TPM) firmware on many Chromebook models. The attacker could exploit this flaw to gain access to the private key created by the TPM.

Fortunately a fix for the flaw exists, but it requires that you erase all data from your Chromebook and sign in as a new user. The process doesn't require more than a few minutes. However the more devices you need to update, the greater the total time required.

Organizations will likely want to prioritize firmware updates on Chromebooks used by people with access to sensitive information. For example, people who work in healthcare or who carry a Chromebook across international borders should update as soon as possible.

Here's how to check your Chromebook firmware version and how to update your device without losing any data.

1. Check Chrome OS firmware version

Open a new browser window on your Chrome device and enter chrome://system, then press enter. Wait a bit for the page to fill with the details of your system. Scroll down the page toward the end until you see tpm_version along the left. Select "Expand..." to see your device's TPM firmware version.

Screenshot of tpm_version BEFORE TPM firmware update on Samsung Chromebook 3

In Chrome OS, go to chrome://system to view the tpm_version details. The device shown lacks the TPM firmware update to improve security.

According to the page posted at Chromium.org, the following Chrome OS TPM versions are vulnerable:

  • 000000000000041f
  • 0000000000000420
  • 0000000000000628
  • 0000000000008520

2. Save settings and files

Review the sync settings for your account. If you sync everything, your apps, bookmarks, extensions, history, passwords, settings, themes, and more will be restored when you re-sync the Chromebook after the update. To adjust the settings, open a new browser window on your Chrome device, then enter chrome://system/syncSetup. Adjust settings as desired. Wait a few minutes after you make changes to give the system time to save data.

GIF animation showing selection of files on Chromebook dragged to Google Drive folder

The TPM firmware update will erase files on the device. If you have files on your Chromebook that you want to keep, copy them to Google Drive.

Make a copy of any files stored on the device that you want to save. All files on the device will be deleted as part of the update process. I find it simplest to drag-and-drop locally stored files from the device (e.g., the "Downloads" folder) to Google Drive. If you have many files, you may want to create a new folder for these items.

3. Create Chrome recovery media

While technically optional, I recommend you create recovery media for your device. Install the Chromebook Recovery Utility app, then run it. The app identifies your device, downloads a recovery image, formats the USB or SD card you've selected, and stores the recovery image for the selected device. Should your update fail for any reason, you can use this USB device or SD card to restore your Chromebook to a working state. Note that you don't need to make a recovery image for every device. Instead, I suggest you create recovery media for each different Chrome OS model. For example, if you have 20 Samsung Chromebook 3 devices, I recommend that one recovery drive or card is sufficient.

Screenshot of Chromebook Recovery Utility in the Chrome Web Store

You have the option to install the Chromebook Recovery Utility, then use it to create a recovery image on an external USB drive or SD card.

4. Update with a Powerwash

Press Shift+Ctrl+Alt+r to initiate a factory reset (also called a Powerwash) on your Chrome device. You may be prompted to restart your Chromebook. When prompted, be sure to check the box to "Update firmware for added security," then select "Powerwash." You may need to confirm that you want to erase the device. Then, wait as the device resets and updates the firmware. You'll see a screen with a "Log in" option after the process completes. At that point, connect to a network and sign in with your Google account.

To verify that the update completed, return to the chrome://system screen, scroll to the tpm_version data, expand it again, and you should see that the number has updated.

Screenshot that shows both Chrome OS standard update AND Powerwash for added security options.

Either press Shift Ctrl Alt r or select Settings > About Chrome OS > Powerwash for added security to update your system. Be sure to select the "Update firmware for added security" checkbox during the process.

If people in your organization use Chromebooks, how has your organization decided to handle the TPM update? Have you already updated all devices? Or did you prioritize specific systems to receive the update over others? Let me know in the comments or on Twitter (@awolber).

Also see

Photo of Chromebook with TPM firmware update option checked
Photo: Andy Wolber

About Andy Wolber

Andy Wolber helps people understand and leverage technology for social impact. He resides in Ann Arbor, MI with his wife, Liz, and daughter, Katie.

Editor's Picks

Free Newsletters, In your Inbox