A new exploit developed by security researchers from the Mercury Workshop Team allows users to unenroll an enterprise-managed Chromebook device. When one of these devices is enrolled with an enterprise, they are managed by policies established by the enterprise’s administrators, allowing them to apply updates and restrict how the device is used. Typically, it is near impossible to unenroll the device without administrator assistance. However, this new exploit, named “Shady Hacking 1nstrument Makes Machine Enrollment Retreat” (Sh1mmer), allows for a user to bypass the need for administrator assistance.
The exploit makes use of publicly leaked RMA shims – disk images stored on USBs that contain a combination of the ChromeOS factory bundle components and manufacturer tools used to perform repair and diagnostics. To use the exploit, a user must download the RMA shim that corresponds to their Chromebook board, use the researcher’s online builder to inject it with the Sh1mmer exploit, and then run the Chrome recovery utility.
On top of allowing a user to unenroll their device, this exploit also comes equipped with the following features:
- Device re-enrollment
- USB Boot Enablement
- Google binary block flag wiping
- rootFS verification disablement
- block_devmode disablement
- Bash terminal
Google has stated that they are aware of the exploit and are working to address it.