When Chromebooks are enrolled with an enterprise or school, they are managed by policies established by the organisation’s administrators. This is handy for admins who want to force-install browser extensions and apps and restrict device use.
Once a Chromebook is enrolled, it is hard to unenroll the device without the organisation’s admin’s involvement.
Security researchers from the Mercury Workshop Team developed a new exploit called ‘Shady Hacking 1nstrument Makes Machine Enrollment Retreat’, or ‘Sh1mmer,’ that lets users unenroll their Chromebooks from enterprise management and install what they like.
The exploit requires a publicly-leaked RMA shim that the Sh1mmer exploit will modify to allow users to manage the device’s enrollment. The researchers say that the following Chromebook boards are known to have publicly released RMA shims.
RMA shims are disk images stored on USB devices that contain a combination of the ChromOS factory bundle components used to reinstall the operating system and manufacturer tools used to perform repair and diagnostics.
To use this exploit, you need to download an RMA shim for your Chromebook, use the researcher’s online builder to inject it with the Sh1mmer exploit, and then run the Chrome Recovery utility.
Using the steps detailed on the Sh1mmer site, you can load the modified RMA shim to launch the Sh1mmer menu.
You can unenroll and re-enroll a device as needed from this menu, enable USB boot, allow root-level access to the operating system, open a bash shell, and more.
A member of the k12sysadmin Reddit group tested the exploit and stated that they could use the exploit to unenroll their Chromebook and use it as a brand-new device.
While the tech has its uses, it does get you into hot water with your boss or the school you are studying with. Google is also unhappy with the exploit and says it is working out a way to fix the issue.