According to The Chromium Projects, an attacker who has access to the public key could take advantage of a flaw in the Trusted Platform Module (TPM) firmware on many Chromebook models. The attacker could exploit this flaw to gain access to the private key created by the TPM.

Fortunately a fix for the flaw exists, but it requires that you erase all data from your Chromebook and sign in as a new user. The process doesn’t require more than a few minutes. However the more devices you need to update, the greater the total time required.

Organizations will likely want to prioritize firmware updates on Chromebooks used by people with access to sensitive information. For example, people who work in healthcare or who carry a Chromebook across international borders should update as soon as possible.

Here’s how to check your Chromebook firmware version and how to update your device without losing any data.

1. Check Chrome OS firmware version

Open a new browser window on your Chrome device and enter chrome://system, then press enter. Wait a bit for the page to fill with the details of your system. Scroll down the page toward the end until you see tpm_version along the left. Select “Expand…” to see your device’s TPM firmware version.

According to the page posted at Chromium.org, the following Chrome OS TPM versions are vulnerable:

  • 000000000000041f
  • 0000000000000420
  • 0000000000000628
  • 0000000000008520

2. Save settings and files

Review the sync settings for your account. If you sync everything, your apps, bookmarks, extensions, history, passwords, settings, themes, and more will be restored when you re-sync the Chromebook after the update. To adjust the settings, open a new browser window on your Chrome device, then enter chrome://system/syncSetup. Adjust settings as desired. Wait a few minutes after you make changes to give the system time to save data.

Make a copy of any files stored on the device that you want to save. All files on the device will be deleted as part of the update process. I find it simplest to drag-and-drop locally stored files from the device (e.g., the “Downloads” folder) to Google Drive. If you have many files, you may want to create a new folder for these items.

3. Create Chrome recovery media

While technically optional, I recommend you create recovery media for your device. Install the Chromebook Recovery Utility app, then run it. The app identifies your device, downloads a recovery image, formats the USB or SD card you’ve selected, and stores the recovery image for the selected device. Should your update fail for any reason, you can use this USB device or SD card to restore your Chromebook to a working state. Note that you don’t need to make a recovery image for every device. Instead, I suggest you create recovery media for each different Chrome OS model. For example, if you have 20 Samsung Chromebook 3 devices, I recommend that one recovery drive or card is sufficient.

4. Update with a Powerwash

Press Shift+Ctrl+Alt+r to initiate a factory reset (also called a Powerwash) on your Chrome device. You may be prompted to restart your Chromebook. When prompted, be sure to check the box to “Update firmware for added security,” then select “Powerwash.” You may need to confirm that you want to erase the device. Then, wait as the device resets and updates the firmware. You’ll see a screen with a “Log in” option after the process completes. At that point, connect to a network and sign in with your Google account.

To verify that the update completed, return to the chrome://system screen, scroll to the tpm_version data, expand it again, and you should see that the number has updated.

If people in your organization use Chromebooks, how has your organization decided to handle the TPM update? Have you already updated all devices? Or did you prioritize specific systems to receive the update over others? Let me know in the comments or on Twitter (@awolber).