back to article Chromebook SH1MMER exploit promises admin jailbreak

Users of enterprise-managed Chromebooks now, for better or worse, have a way to break the shackles of administrative control through an exploit called SHI1MMER. SH1MMER – you may pronounce the "1" as an "i" – is a shim exploit, or more specifically, a weaponized Return Merchandise Authorization (RMA) shim. A shim is Google- …

  1. Yet Another Anonymous coward Silver badge


    This allows you to run free software on a device you purchased, like you own it.

    It's basically terrorism

    1. Lazlo Woodbine

      Re: Shocking

      "on a device you purchased"

      Many, if not most, Chromebooks are used in education, therefore the users do not own them, they belong to the school...

      1. Anonymous Coward
        Anonymous Coward

        Re: Shocking

        That's not how it works.

        Most schools coerce the parents into paying for the Chromebooks, on the basis that it is technically optional, but your child will not be able to participate in class or do their homework without it.

        You have to buy it through their approved dealer at above market price and they insist that it must be fully locked down and managed by the school's IT department. So the parent owns the device, not the school, but the school has complete control of it.

        You get to keep it after 5 years when the OS lifecycle timer expires and it no longer gets updates.


      Re: Shocking

      This comment is confusing me so much

  2. Blazde Silver badge

    IT types who developed their skills by breaking the less sophisticated systems of yore

    Aah the simpler times when the hot new hack was F1 at boot to access the BIOS and enable booting from a floppy(*). How I miss those days of yore.

    (*) So that you could install a keylogger, capture the administrator's password, lock-pick the sever-room door and abuse the password mercilessly. But I digress.

  3. Anonymous Coward
    Anonymous Coward

    The only management my offspring's school has done to Chromebooks is disable the Play Store, which ironically makes it impossible to install Qustodio. Otherwise it's all the internet, all Chrome store apps, all the time so this exploit means nothing in the grand scheme of things.

    This, by the way, is what parents have to contend with these days. Just to pre-empt the "why aren't parents parenting like they did in my day" crowd. Google is working against them to get the next generation hooked and the school is working against them because they saw a bandwagon to jump on but they don't really have a clue when it comes to IT.

    1. Paul Crawford Silver badge
      Big Brother

      Google is working against them to get the next generation hooked

      Don't you mean "Google is doing better than MS these days to get them hooked"

  4. Grunchy Silver badge

    Chromebook never interested me, I don’t care about it. “Internet apps” are ok once in awhile but I’d way rather have the software & data on my HDD. If I want to “share” the software & data with the teacher, email still works.

    But you know what I always wanted was one of those “Personal Internet Communicators” from AMD, with the Geode CPU, or else perhaps the “One Laptop Per Child” units. I heard they were rugged, adequately powerful, and included a hand-crank for power in a pinch. So cool!!

    1. PRR Silver badge

      > “Internet apps” are ok once in awhile but I’d way rather have the software & data on my HDD.

      It's not like that. While Google has an online word-proc it is much too slow on my CB. I went to store and found a simple text editor, which is what I really wanted. It runs on the CB, I tell it to store files on the CB, all is well. Yes, I know the CB cc:s Google with all I do, moreso than Kindle (every touch is logged), but Google will be bored to virtual tears with the text I edit.

  5. Anonymous Coward
    Anonymous Coward

    Good. Now when my kids leave school they will finally be able to make good use of the chromebooks that the school insisted I had to buy for them. Currently they have to use their windows laptops for their homework because their chromebooks are blocked from accessing the websites that the teacher told them to refer to.

    1. Chz

      I'm not familiar with all the ways of locking down a Chromebook (I bought one for the lad on the basis that I didn't have to waste much time managing it), but in our case it was perfectly allowable for him to have a school login with all the limitations thereof and a personal login free of the shackles. Or at least limited to the shackles I had put on it. The logins were completely different environments on the Chromebook. The school eventually bought CBs for each child, but we kept on using our own since it was (naturally) better than the school's spec. So I don't know if their own machines were somehow tied down even further.


    I hate how babified that Chromebooks are, and how such simple devices are being given to kids. They are never going to learn digital literacy skills.

    1. Paul Crawford Silver badge

      School education on PCs has, in recent years, offered no real "digital literacy" at all as the usual (outside of Chromebooks) is just learning to use Office (and not even something free and open that can be examined inside for those curious enough about code.

      Also you have to remember the folks on this forum are as far from the usual chromebook clients as you can get, it is basically a tablet with a keyboard.

      For some folks that is really the best choice, I gave one to a friend who was both simultaneously paranoid about being shafted on a Windows PC, and quite capable of screwing it up. It was almost perfect as they could not easily screw it up, and when broken they could get a new one and sync it to their google account and off they go! Yes, their privacy is raped but no worse than social media, and it almost worked out fine. Until I got a call saying it was broken as they stood on it with the cable's ferrite between the screen and keyboard trashing the display. The best bit? They told me "Oh last two times I did that it didn't break" strewth!

      1. Tams

        Well, you know how the saying goes: can't fixed stupid.

  7. KITT44

    When G attempted to patch this exploit, they also Bricked some Legitimate Devices !

    This is known to have happened with Chrome OS 111 roll-out, but probably other updates too !

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like