Chromebook: Only as Secure as the App You Install

Jun 19, 2019

By: Shaul Vilkomir-Preisman

Ever since their introduction in 2011, Chromebooks, running Chrome OS – an operating system developed by Google, based on the open source Chromium OS project, have been lauded for their high functionality and competitive pricing. They have steadily gained market share, particularly as a replacement for much higher priced tablets, even more so since the advent of the ability to natively run Android applications on Chromebooks, a feature introduced initially in 2017.

Initially, Chrome OS was a limited operating system that allowed only the execution of Chrome browser. It had no substantial disk space as it was intended to save and operate all the content in Google’s cloud; such as Google Docs, Google Drive, etc. Therefore, the only option to install additional capabilities into the device, besides the Chrome browser’s capabilities, was with Chrome Browser Extensions.

As development progressed, Google introduced more capabilities, and finally introduced Chrome OS Android application support. Despite the obvious benefits, operating as an Android OS also brought complications. All the various attack surfaces and vectors that are prone to Android OS were now susceptible with Chrome OS, including malicious Android applications, and possible exploits stemming from vulnerabilities that effect both Operating Systems.

Google has gone to great lengths to ensure the security of Chrome OS with features like Verified Boot, which ensures the integrity of operating system components as they load. Recovery Mode, which enables the user to quickly reset the device to a known good configuration, and Process Isolation (Sandboxing) which encapsulates and separates applications and processes from one another, making sure each one runs within its own context, permissions and privileges.

However, the added functionality of natively running Android apps (APKs) on Chrome OS can also pose a security threat, by exposing Chromebooks to many of the same threats as Android mobiles has exponentially expanded the attack surface available to attackers. Malware presenting itself as malicious applications is one of the main and largely successful attack vectors being used by attackers.

While there are various stores that applications can be installed from, of which some are malicious, the official Google Play Store is generally highly regarded and trusted.  And for good reason too, as Google has introduced various security engines, including Google Play Protect. However, even with these security mechanisms in place, this still doesn’t provide enough protection.

The Play Store Problem

Who doesn’t like a good game every now and then? Why not play a round of Hoverboard racing while you wait for your meeting?

Need a Universal remote-control application? No problem, Google Play Store has one for you.

How about transferring some Crypto-Currency?

The above are just a few examples, out of many, of malware infiltrating Google’s Play Store, one of the best distribution mechanisms a hacker can wish for.

To this form of malware, the hardened features of Chrome OS (some of which are shared with Android, like process encapsulation) are simply irrelevant. Malware does not necessarily need to escape any sandbox if all malicious functionality is entirely contained within the app’s context and the user’s interaction with the app.

Examples such as the above are rife and show no sign of becoming any less common, despite Google’s best efforts and despite what may be published about it. No system is 100% secure, no system is un-hackable, and to assume so of any system, means leaving the door open to any unwelcomed visitors.

The short of it is that as a rule of thumb, Android malware can and should be considered Chromebook malware. Restricting yourself to installing apps only from Google’s Play store, when Google’s Play Protect has repeatedly proven to be evaded, is at best a smart precaution, definitely not a solution. Moreover, vulnerabilities which effect both Android and Chrome OS, and might be used as additional attack vectors have already been discovered. We believe more will likely be discovered in the future.

 

Preventing the Threat

There is every reason to believe that adoption and market share of Chrome OS will continue to grow, becoming more popular among businesses in different sectors such as Education and Hospitality, to name just two.

As market share of Chrome OS will increase, so will its attractiveness and position on the threat actors’ radar. While currently Android applications are the main potential vector for attack, others may appear in the future.

In light of this, and with the help of a strong tail wind in the form of market demand from our customer base, Deep Instinct is proud to announce its Chrome OS D-Client – the latest addition to our product line which includes solutions for Windows, MacOS, Android and iOS devices. The Chromebook D-Client, based on Deep Instinct’s unique Deep Learning solution, protects Chromebooks from Android malware, Network-based threats like ARP Poisoning and Man-In-The-Middle attacks, and provides additional hardening and device management features.

 

Learn more about Deep Instinct’s Chrome OS by reading the datasheet.